From 5605ecfc1f059efff8ee2b558524456b0fe5a4b1 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Thu, 17 May 2018 18:46:14 -0400
Subject: [PATCH 1/2] zebra: memset buf to prevent uninited writes into kernel

Setup the buf used for extra data passed into kernel such
that we are cleaning it out before writing data to it,
so we can avoid writing uninited data.

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 zebra/rt_netlink.c | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
index 9510a0e12c..2fd7bee056 100644
--- a/zebra/rt_netlink.c
+++ b/zebra/rt_netlink.c
@@ -1308,8 +1308,7 @@ static int netlink_neigh_update(int cmd, int ifindex, uint32_t addr, char *lla,
 
 	struct zebra_ns *zns = zebra_ns_lookup(ns_id);
 
-	memset(&req.n, 0, sizeof(req.n));
-	memset(&req.ndm, 0, sizeof(req.ndm));
+	memset(&req, 0, sizeof(req));
 
 	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ndmsg));
 	req.n.nlmsg_flags = NLM_F_CREATE | NLM_F_REQUEST;
@@ -1666,8 +1665,7 @@ int kernel_get_ipmr_sg_stats(struct zebra_vrf *zvrf, void *in)
 	struct zebra_ns *zns;
 
 	zns = zvrf->zns;
-	memset(&req.n, 0, sizeof(req.n));
-	memset(&req.ndm, 0, sizeof(req.ndm));
+	memset(&req, 0, sizeof(req));
 
 	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ndmsg));
 	req.n.nlmsg_flags = NLM_F_REQUEST;
@@ -1759,8 +1757,7 @@ static int netlink_vxlan_flood_list_update(struct interface *ifp,
 	struct zebra_vrf *zvrf = zebra_vrf_lookup_by_id(ifp->vrf_id);
 
 	zns = zvrf->zns;
-	memset(&req.n, 0, sizeof(req.n));
-	memset(&req.ndm, 0, sizeof(req.ndm));
+	memset(&req, 0, sizeof(req));
 
 	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ndmsg));
 	req.n.nlmsg_flags = NLM_F_REQUEST;
@@ -2075,8 +2072,7 @@ static int netlink_macfdb_update(struct interface *ifp, vlanid_t vid,
 		return -1;
 	}
 
-	memset(&req.n, 0, sizeof(req.n));
-	memset(&req.ndm, 0, sizeof(req.ndm));
+	memset(&req, 0, sizeof(req));
 
 	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ndmsg));
 	req.n.nlmsg_flags = NLM_F_REQUEST;
@@ -2392,8 +2388,7 @@ static int netlink_neigh_update2(struct interface *ifp, struct ipaddr *ip,
 	struct zebra_vrf *zvrf = zebra_vrf_lookup_by_id(ifp->vrf_id);
 
 	zns = zvrf->zns;
-	memset(&req.n, 0, sizeof(req.n));
-	memset(&req.ndm, 0, sizeof(req.ndm));
+	memset(&req, 0, sizeof(req));
 
 	req.n.nlmsg_len = NLMSG_LENGTH(sizeof(struct ndmsg));
 	req.n.nlmsg_flags = NLM_F_REQUEST;

From 987d8198731a6a137ad52c0b637353c8844b7916 Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@cumulusnetworks.com>
Date: Thu, 17 May 2018 18:54:25 -0400
Subject: [PATCH 2/2] bgpd: Clean up some evpn memory leaks

Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>
---
 bgpd/bgp_evpn.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/bgpd/bgp_evpn.c b/bgpd/bgp_evpn.c
index 74a4f66098..8394c3a7b7 100644
--- a/bgpd/bgp_evpn.c
+++ b/bgpd/bgp_evpn.c
@@ -327,6 +327,12 @@ static int evpn_route_target_cmp(struct ecommunity *ecom1,
 	return strcmp(ecom1->str, ecom2->str);
 }
 
+static void evpn_xxport_delete_ecomm(void *val)
+{
+	struct ecommunity *ecomm = val;
+	ecommunity_free(&ecomm);
+}
+
 /*
  * Mask off global-admin field of specified extended community (RT),
  * just retain the local-admin field.
@@ -3240,8 +3246,6 @@ static void bgp_evpn_handle_export_rt_change_for_vrf(struct bgp *bgp_vrf)
 static void update_autort_vni(struct hash_backet *backet, struct bgp *bgp)
 {
 	struct bgpevpn *vpn = backet->data;
-	struct listnode *node, *nnode;
-	struct ecommunity *ecom;
 
 	if (!vpn) {
 		zlog_warn("%s: VNI hash entry for VNI not found", __PRETTY_FUNCTION__);
@@ -3252,16 +3256,12 @@ static void update_autort_vni(struct hash_backet *backet, struct bgp *bgp)
 		if (is_vni_live(vpn))
 			bgp_evpn_uninstall_routes(bgp, vpn);
 		bgp_evpn_unmap_vni_from_its_rts(bgp, vpn);
-		for (ALL_LIST_ELEMENTS(vpn->import_rtl, node, nnode, ecom))
-			ecommunity_free(&ecom);
 		list_delete_all_node(vpn->import_rtl);
 		bgp_evpn_derive_auto_rt_import(bgp, vpn);
 		if (is_vni_live(vpn))
 			bgp_evpn_install_routes(bgp, vpn);
 	}
 	if (!is_export_rt_configured(vpn)) {
-		for (ALL_LIST_ELEMENTS(vpn->export_rtl, node, nnode, ecom))
-			ecommunity_free(&ecom);
 		list_delete_all_node(vpn->export_rtl);
 		bgp_evpn_derive_auto_rt_export(bgp, vpn);
 		if (is_vni_live(vpn))
@@ -4100,8 +4100,10 @@ struct bgpevpn *bgp_evpn_new(struct bgp *bgp, vni_t vni,
 	/* Initialize route-target import and export lists */
 	vpn->import_rtl = list_new();
 	vpn->import_rtl->cmp = (int (*)(void *, void *))evpn_route_target_cmp;
+	vpn->import_rtl->del = evpn_xxport_delete_ecomm;
 	vpn->export_rtl = list_new();
 	vpn->export_rtl->cmp = (int (*)(void *, void *))evpn_route_target_cmp;
+	vpn->export_rtl->del = evpn_xxport_delete_ecomm;
 	bf_assign_index(bm->rd_idspace, vpn->rd_id);
 	derive_rd_rt_for_vni(bgp, vpn);
 
@@ -4651,10 +4653,11 @@ void bgp_evpn_init(struct bgp *bgp)
 	bgp->vrf_import_rtl = list_new();
 	bgp->vrf_import_rtl->cmp =
 		(int (*)(void *, void *))evpn_route_target_cmp;
-
+	bgp->vrf_import_rtl->del = evpn_xxport_delete_ecomm;
 	bgp->vrf_export_rtl = list_new();
 	bgp->vrf_export_rtl->cmp =
 		(int (*)(void *, void *))evpn_route_target_cmp;
+	bgp->vrf_export_rtl->del = evpn_xxport_delete_ecomm;
 	bgp->l2vnis = list_new();
 	bgp->l2vnis->cmp = (int (*)(void *, void *))vni_hash_cmp;
 }