When shutdown a LAN-type circuit, and if the current device is not the DIS (assuming it is a level-1 device), the isis_circuit_down() function will not call the isis_dr_resign() function to clear the circuit->u.bc.run_dr_elect[0] bit (this bit is set on interfaces in the isis_run_dr() function). After switching the link to a P2P type, since u.p2p and u.bc form a union, and circuit->u.bc.snpa = "\000\000\000\000\000" and circuit->u.bc.run_dr_elect = "\001", this results in circuit->u.p2p.neighbor = 0x1000000000000. Consequently, the value of adj->sysid accesses a wild pointer, causing the current crash.
The backtrace is as follows:
(gdb) bt
#0 0x00007fbd30e55fe1 in raise () from /lib/x86_64-linux-gnu/libpthread.so.0
#1 0x00007fbd30f76b29 in core_handler (signo=11, siginfo=0x7ffc60b7a270,
context=0x7ffc60b7a140) at ../lib/sigevent.c:261
#2 <signal handler called>
#3 0x00007fbd30dddba4 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000562aec46617f in isis_spf_run_lfa (area=0x562aee3a56d0, spftree=0x562aee3a51a0)
at ../isisd/isis_lfa.c:2403
#5 0x0000562aec483854 in isis_run_spf_with_protection (area=0x562aee3a56d0,
spftree=0x562aee3a51a0) at ../isisd/isis_spf.c:1891
#6 0x0000562aec483b05 in isis_run_spf_cb (thread=0x7ffc60b7b000)
at ../isisd/isis_spf.c:1953
#7 0x00007fbd30f900bb in thread_call (thread=0x7ffc60b7b000) at ../lib/thread.c:1990
#8 0x00007fbd30f2897b in frr_run (master=0x562aee0833c0) at ../lib/libfrr.c:1198
#9 0x0000562aec454d6d in main (argc=5, argv=0x7ffc60b7b228, envp=0x7ffc60b7b258)
at ../isisd/isis_main.c:273
(gdb) f 4
#4 0x0000562aec46617f in isis_spf_run_lfa (area=0x562aee3a56d0, spftree=0x562aee3a51a0)
at ../isisd/isis_lfa.c:2403
2403 ../isisd/isis_lfa.c: No such file or directory.
(gdb) p circuit->u.p2p.neighbor
$1 = (struct isis_adjacency *) 0x1000000000000
(gdb) p adj->sysid
Cannot access memory at address 0x1000000000006
(gdb) p circuit->u.bc
$2 = {snpa = "\000\000\000\000\000", run_dr_elect = "\001", t_run_dr = {0x0, 0x0},
t_send_lan_hello = {0x0, 0x0}, adjdb = {0x0, 0x0}, lan_neighs = {0x0, 0x0},
is_dr = "\000", l1_desig_is = "\000\000\000\000\000\000",
l2_desig_is = "\000\000\000\000\000\000", t_refresh_pseudo_lsp = {0x0, 0x0}}
(gdb)
The backtrace provided above pertains to version 8.5.4, but it seems that the same issue exists in the code of the master branch as well.
Signed-off-by: baozhen-H3C <bao.zhen@h3c.com>
Fix defect flagged by Coverity:
*** CID 1599957: Null pointer dereferences (REVERSE_INULL)
/ospf6d/ospf6_intra.c: 581 in ospf6_link_lsa_get_prefix_str()
575 int buflen, int pos)
576 {
577 struct ospf6_link_lsa *link_lsa = lsa_after_header(lsa->header);
578 struct ospf6_prefix *prefix = nth_prefix(lsa->header, pos);
579 struct in6_addr in6 = { 0 };
580
>>> CID 1599957: Null pointer dereferences (REVERSE_INULL)
>>> Null-checking "lsa" suggests that it may be null, but it has already been dereferenced on all paths leading to the check.
581 if (!lsa || !prefix || !buf || buflen < (1 + INET6_ADDRSTRLEN))
582 return NULL;
583
584 /* position zero is used for the lladdr in the body of the LSA */
585 if (pos == 0) {
586 inet_ntop(AF_INET6, &link_lsa->linklocal_addr, buf, buflen);
The check for lsa being not-null happens in ospf6_lsdb_show() and
first dereference happens in ospf6_lsa_show_summary()
Signed-off-by: Andrew Cooks <acooks.at.bda@gmail.com>
Add the abilty to track how much time is spent in routemaps.
Example of the new output:
eva# show route-map
ZEBRA:
route-map: FOO Invoked: 1000000 (323 milliseconds total) Optimization: enabled Processed Change: false
deny, sequence 10 Invoked 1000000 (320 milliseconds total)
Match clauses:
Set clauses:
Call clause:
Action:
Exit routemap
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Add a basic topology that allows the testing of BGP and zebra
at scale. I built this to help me find and fix problems with
a large number of bgp peers. Since I plan to keep using this
and as I understand it there are future plans to take this
higher, I would like to add this as a test that people can invoke
with this command:
sudo -E python3 -m pytest -s -vv --topology-only
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
Under certain timing conditions, the current logic asserts in
ospf_lsa_refresh_delay(). While this isn't readily reproducible,
the only explanation is that the conversion from struct timeval
to milliseconds is 0 due to rounding off the microseconds.
Signed-off-by: Acee <aceelindem@gmail.com>
Currently when doing a `show ip route table XXXX`, zebra is displaying
the current default vrf as the vrf we are in. We are displaying a
table not a vrf. This is only true if you are not using namespace
based vrf's, so modify the output to display accordingly.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
`ZEBRA_DEBUG_SRV6` is not the correct macro to evaluate if SRv6 debug is enabled or not.
The correct macro is `IS_ZEBRA_DEBUG_SRV6`.
Fix this by replacing `ZEBRA_DEBUG_SRV6` with `IS_ZEBRA_DEBUG_SRV6`.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
`ZEBRA_DEBUG_SRV6` is not the correct macro to evaluate if SRv6 debug is enabled or not.
The correct macro is `IS_ZEBRA_DEBUG_SRV6`.
Fix this by replacing `ZEBRA_DEBUG_SRV6` with `IS_ZEBRA_DEBUG_SRV6`.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
`ZEBRA_DEBUG_SRV6` is not the correct macro to evaluate if SRv6 debug is enabled or not.
The correct macro is `IS_ZEBRA_DEBUG_SRV6`.
Fix this by replacing `ZEBRA_DEBUG_SRV6` with `IS_ZEBRA_DEBUG_SRV6`.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
`ZEBRA_DEBUG_SRV6` is not the correct macro to evaluate if SRv6 debug is enabled or not.
The correct macro is `IS_ZEBRA_DEBUG_SRV6`.
Fix this by replacing `ZEBRA_DEBUG_SRV6` with `IS_ZEBRA_DEBUG_SRV6`.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
`ZEBRA_DEBUG_SRV6` is not the correct macro to evaluate if SRv6 debug is enabled or not.
The correct macro is `IS_ZEBRA_DEBUG_SRV6`.
Fix this by replacing `ZEBRA_DEBUG_SRV6` with `IS_ZEBRA_DEBUG_SRV6`.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
`ZEBRA_DEBUG_SRV6` is not the correct macro to evaluate if SRv6 debug is enabled or not.
The correct macro is `IS_ZEBRA_DEBUG_SRV6`.
Fix this by replacing `ZEBRA_DEBUG_SRV6` with `IS_ZEBRA_DEBUG_SRV6`.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
`ZEBRA_DEBUG_SRV6` is not the correct macro to evaluate if SRv6 debug is enabled or not.
The correct macro is `IS_ZEBRA_DEBUG_SRV6`.
Fix this by replacing `ZEBRA_DEBUG_SRV6` with `IS_ZEBRA_DEBUG_SRV6`.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
`ZEBRA_DEBUG_SRV6` is not the correct macro to evaluate if SRv6 debug is enabled or not.
The correct macro is `IS_ZEBRA_DEBUG_SRV6`.
Fix this by replacing `ZEBRA_DEBUG_SRV6` with `IS_ZEBRA_DEBUG_SRV6`.
Signed-off-by: Carmine Scarpitta <cscarpit@cisco.com>
Currently zebra starts the graceful restart timer as well as
allows connections from clients before all data is read in
from the kernel as well as the possiblity of allowing client
connections before this happens as well.
Let's move the graceful restart timer start till after this is
done as well as not allowing client connections till then as well.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
The `alloc` counter was tracking the current active
number of events in the system and if it went to
0 when freeing a new one it would assert. This
assert is a duplicate of what would happen with the
XFREE in the same situation. As such it is not
necessary.
Also remove the `event_master_free_unused` function
from the system.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
