mirror of https://git.proxmox.com/git/mirror_frr synced 2025-08-05 20:51:17 +00:00

Go to file

Donald Sharp dd5bab0c09 lib: Fix read beyond end of data structure Our Address Sanitizer CI is finding this issue: error 09-Oct-2019 19:28:33 r4: bgpd triggered an exception by AddressSanitizer error 09-Oct-2019 19:28:33 ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdd425b060 at pc 0x00000068575f bp 0x7ffdd4258550 sp 0x7ffdd4258540 error 09-Oct-2019 19:28:33 READ of size 1 at 0x7ffdd425b060 thread T0 error 09-Oct-2019 19:28:33 #0 0x68575e in prefix_cmp lib/prefix.c:776 error 09-Oct-2019 19:28:33 #1 0x5889f5 in rfapiItBiIndexSearch bgpd/rfapi/rfapi_import.c:2230 error 09-Oct-2019 19:28:33 #2 0x5889f5 in rfapiBgpInfoFilteredImportVPN bgpd/rfapi/rfapi_import.c:3520 error 09-Oct-2019 19:28:33 #3 0x58b909 in rfapiProcessWithdraw bgpd/rfapi/rfapi_import.c:4071 error 09-Oct-2019 19:28:33 #4 0x4c459b in bgp_withdraw bgpd/bgp_route.c:3736 error 09-Oct-2019 19:28:33 #5 0x484122 in bgp_nlri_parse_vpn bgpd/bgp_mplsvpn.c:237 error 09-Oct-2019 19:28:33 #6 0x497f52 in bgp_nlri_parse bgpd/bgp_packet.c:315 error 09-Oct-2019 19:28:33 #7 0x49d06d in bgp_update_receive bgpd/bgp_packet.c:1598 error 09-Oct-2019 19:28:33 #8 0x49d06d in bgp_process_packet bgpd/bgp_packet.c:2274 error 09-Oct-2019 19:28:33 #9 0x6b9f54 in thread_call lib/thread.c:1531 error 09-Oct-2019 19:28:33 #10 0x657037 in frr_run lib/libfrr.c:1052 error 09-Oct-2019 19:28:33 #11 0x42d268 in main bgpd/bgp_main.c:486 error 09-Oct-2019 19:28:33 #12 0x7f806032482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) error 09-Oct-2019 19:28:33 #13 0x42bcc8 in _start (/usr/lib/frr/bgpd+0x42bcc8) error 09-Oct-2019 19:28:33 error 09-Oct-2019 19:28:33 Address 0x7ffdd425b060 is located in stack of thread T0 at offset 240 in frame error 09-Oct-2019 19:28:33 #0 0x483945 in bgp_nlri_parse_vpn bgpd/bgp_mplsvpn.c:103 error 09-Oct-2019 19:28:33 error 09-Oct-2019 19:28:33 This frame has 5 object(s): error 09-Oct-2019 19:28:33 [32, 36) 'label' error 09-Oct-2019 19:28:33 [96, 108) 'rd_as' error 09-Oct-2019 19:28:33 [160, 172) 'rd_ip' error 09-Oct-2019 19:28:33 [224, 240) 'prd' <== Memory access at offset 240 overflows this variable error 09-Oct-2019 19:28:33 [288, 336) 'p' error 09-Oct-2019 19:28:33 HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext error 09-Oct-2019 19:28:33 (longjmp and C++ exceptions are supported) error 09-Oct-2019 19:28:33 SUMMARY: AddressSanitizer: stack-buffer-overflow lib/prefix.c:776 prefix_cmp error 09-Oct-2019 19:28:33 Shadow bytes around the buggy address: error 09-Oct-2019 19:28:33 0x10003a8435b0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 error 09-Oct-2019 19:28:33 0x10003a8435c0: 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 error 09-Oct-2019 19:28:33 0x10003a8435d0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 error 09-Oct-2019 19:28:33 0x10003a8435e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 error 09-Oct-2019 19:28:33 0x10003a8435f0: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 04 f4 f4 f2 f2 error 09-Oct-2019 19:28:33 =>0x10003a843600: f2 f2 00 04 f4 f4 f2 f2 f2 f2 00 00[f4]f4 f2 f2 error 09-Oct-2019 19:28:33 0x10003a843610: f2 f2 00 00 00 00 00 00 f4 f4 f3 f3 f3 f3 00 00 error 09-Oct-2019 19:28:33 0x10003a843620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 error 09-Oct-2019 19:28:33 0x10003a843630: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f4 error 09-Oct-2019 19:28:33 0x10003a843640: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 00 error 09-Oct-2019 19:28:33 0x10003a843650: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 error 09-Oct-2019 19:28:33 Shadow byte legend (one shadow byte represents 8 application bytes): error 09-Oct-2019 19:28:33 Addressable: 00 error 09-Oct-2019 19:28:33 Partially addressable: 01 02 03 04 05 06 07 error 09-Oct-2019 19:28:33 Heap left redzone: fa error 09-Oct-2019 19:28:33 Heap right redzone: fb error 09-Oct-2019 19:28:33 Freed heap region: fd error 09-Oct-2019 19:28:33 Stack left redzone: f1 error 09-Oct-2019 19:28:33 Stack mid redzone: f2 error 09-Oct-2019 19:28:33 Stack right redzone: f3 error 09-Oct-2019 19:28:33 Stack partial redzone: f4 error 09-Oct-2019 19:28:33 Stack after return: f5 error 09-Oct-2019 19:28:33 Stack use after scope: f8 error 09-Oct-2019 19:28:33 Global redzone: f9 error 09-Oct-2019 19:28:33 Global init order: f6 error 09-Oct-2019 19:28:33 Poisoned by user: f7 error 09-Oct-2019 19:28:33 Container overflow: fc error 09-Oct-2019 19:28:33 Array cookie: ac error 09-Oct-2019 19:28:33 Intra object redzone: bb error 09-Oct-2019 19:28:33 ASan internal: fe error 09-Oct-2019 19:28:36 r3: Daemon bgpd not running This is the result of this code pattern in rfapi/rfapi_import.c: prefix_cmp((struct prefix )&bpi_result->extra->vnc.import.rd, (struct prefix )prd)) Effectively prd or vnc.import.rd are `struct prefix_rd` which are being typecast to a `struct prefix`. Not a big deal except commit `1315d74de9` modified the prefix_cmp function to allow for a sorted prefix_cmp. In prefix_cmp we were looking at the offset and shift. In the case of vnc we were passing a prefix length of 64 which is the exact length of the remaining data structure for struct prefix_rd. So we calculated a offset of 8 and a shift of 0. The data structures for the prefix portion happened to be equal to 64 bits of data. So we checked that with the memcmp got a 0 and promptly read off the end of the data structure for the numcmp. The fix is if shift is 0 that means thei the memcmp has checked everything and there is nothing to do. Please note: We will still crash if we set the prefixlen > then ~312 bits currently( ie if the prefixlen specifies a bit length longer than the prefix length ). I do not think there is anything to do here( nor am I sure how to correct this either ) as that we are going to have some severe problems when we muck up the prefixlen. Fixes: #5025 Signed-off-by: Donald Sharp <sharpd@cumulusnetworks.com>		2019-10-10 09:03:56 -04:00
.github	.github: move pr template to subdir	2019-03-29 16:51:58 +00:00
alpine	issue/5035: Remove warning for missing pytest during build phase and add libcap-dev dependency	2019-09-23 16:56:24 +02:00
babeld	*: strip trailing whitespace	2019-09-30 16:44:43 +00:00
bfdd	*: remove redundant brackets in commands	2019-10-08 15:31:40 +03:00
bgpd	bgpd: Ensure that struct prefix_rd rd is zero'ed out	2019-10-10 09:03:56 -04:00
debian	tools: Modifications to copy support bundle files	2019-09-13 10:05:13 -07:00
doc	doc: add style guide for YANG	2019-10-09 19:30:10 +00:00
docker	Merge pull request #5005 from Frankkkkk/dockerfile	2019-10-04 13:51:23 +01:00
eigrpd	Merge pull request #5009 from donaldsharp/interface_deletion	2019-09-30 07:46:19 -04:00
fpm	build: fix "make tags"	2019-09-17 16:35:12 +02:00
gdb	bgpd: Convert binfo to path	2018-10-09 14:26:30 -04:00
grpc	build: fix "make tags"	2019-09-17 16:35:12 +02:00
include	*: strip trailing whitespace	2019-09-30 16:44:43 +00:00
isisd	isisd: Fix handling of neighbor circuit id in three way handshake	2019-10-01 12:12:22 +02:00
ldpd	*: Convert zapi->interface_delete to ifp callback	2019-09-19 13:34:06 -04:00
lib	lib: Fix read beyond end of data structure	2019-10-10 09:03:56 -04:00
m4	build: add check for python-3.8	2019-08-14 15:06:52 +02:00
nhrpd	*: Convert zapi->interface_delete to ifp callback	2019-09-19 13:34:06 -04:00
ospf6d	Merge pull request #5009 from donaldsharp/interface_deletion	2019-09-30 07:46:19 -04:00
ospfclient	build: fix a whole bunch of *FLAGS	2019-01-30 19:13:51 +01:00
ospfd	*: remove redundant brackets in commands	2019-10-08 15:31:40 +03:00
pbrd	pbrd: Don't track ipv6 link locals	2019-10-07 18:29:01 -04:00
pimd	pimd: Fix zlog_warn when we mean debug and vice versa	2019-10-08 10:36:02 -04:00
pkgsrc	*: cleanup .gitignore files	2018-09-08 21:30:42 +02:00
python	bgpd/bmp: BMP implementation	2019-08-30 19:22:23 +02:00
qpb	build: fix "make tags"	2019-09-17 16:35:12 +02:00
redhat	tools: Modifications to copy support bundle files	2019-09-13 10:05:13 -07:00
ripd	*: strip trailing whitespace	2019-09-30 16:44:43 +00:00
ripngd	*: strip trailing whitespace	2019-09-30 16:44:43 +00:00
sharpd	sharpd: Start infrastructure to allow for redistribution testing	2019-10-02 10:01:35 -04:00
snapcraft	snapcraft: Add libdb5.3 dependency	2019-05-29 01:41:02 +02:00
solaris	*: cleanup .gitignore files	2018-09-08 21:30:42 +02:00
staticd	Merge pull request #5009 from donaldsharp/interface_deletion	2019-09-30 07:46:19 -04:00
tests	Merge branch 'master' into ecmp_tests	2019-10-04 15:19:17 +02:00
tools	tools: Adding new commands to the list of support bundle commands	2019-09-13 10:05:57 -07:00
vrrpd	*: Convert zapi->interface_delete to ifp callback	2019-09-19 13:34:06 -04:00
vtysh	Merge pull request #5042 from opensourcerouting/vtysh-nb-cmds	2019-09-24 05:11:00 -04:00
watchfrr	lib, watchfrr: Add some additional status messages to systemd	2019-10-03 21:09:28 -04:00
yang	Merge pull request #5052 from mjstapp/zebra_yang_model	2019-09-25 09:27:57 -04:00
zebra	Merge pull request #5079 from mjstapp/fix_dplane_drop_at_shut	2019-10-03 11:49:07 -04:00
.clang-format	*: frr_elevate_privs -> frr_with_privs	2019-09-03 17:18:35 +02:00
.dir-locals.el	.dir-locals.el: show trailing whitespace	2017-11-07 12:05:09 -05:00
.dockerignore	docker/alpine: Update buildscript to keep the docker image around	2019-03-27 15:39:54 +01:00
.gitignore	git: Ignore Visual Studio Code settings	2019-05-11 10:12:43 +03:00
bootstrap.sh	autoreconf -i	2007-02-06 19:28:28 +00:00
buildtest.sh	config: switch a few references to say FRR	2017-07-12 11:25:33 -05:00
changelog-auto.in	debian: cleanly split off from dist tarball	2019-02-19 21:31:18 +01:00
config.version.in	build: carry --with-pkg-extra-version into tarballs	2018-10-24 15:11:50 +02:00
configure.ac	configure.ac: fix memory sanitizer test	2019-10-08 21:24:26 -03:00
COPYING	*: make consistent & update GPLv2 file headers	2017-05-15 16:37:41 +02:00
COPYING-LGPLv2.1	build: remove LGPL v2.0, add LGPL v2.1	2016-11-15 17:19:38 +09:00
defaults.h	*: reindent	2017-07-17 14:04:07 +02:00
Makefile.am	build: improve clippy options	2019-06-12 19:22:59 +02:00
README.md	README.md: add reference to apt repo	2019-09-17 03:53:17 +00:00
stamp-h.in	Initial revision	2002-12-13 20:15:29 +00:00

README.md

FRRouting

FRR is free software that implements and manages various IPv4 and IPv6 routing protocols. It runs on nearly all distributions of Linux and BSD as well as Solaris and supports all modern CPU architectures.

FRR currently supports the following protocols:

BGP
OSPFv2
OSPFv3
RIPv1
RIPv2
RIPng
IS-IS
PIM-SM/MSDP
LDP
BFD
Babel
PBR
OpenFabric
VRRP
EIGRP (alpha)
NHRP (alpha)

Installation & Use

For source tarballs, see the releases page.

For Debian and its derivatives, use the APT repository at https://deb.frrouting.org/.

Instructions on building and installing from source for supported platforms may be found in the developer docs.

Once installed, please refer to the user guide for instructions on use.

Community

The FRRouting email list server is located here and offers the following public lists:

Topic	List
Development	dev@lists.frrouting.org
Users & Operators	frog@lists.frrouting.org
Announcements	announce@lists.frrouting.org

For chat, we currently use Slack. You can join by clicking the "Slack" link under the Participate section of our website.

Contributing

FRR maintains developer's documentation which contains the project workflow and expectations for contributors. Some technical documentation on project internals is also available.

We welcome and appreciate all contributions, no matter how small!

Security

To report security issues, please use our security mailing list:

security [at] lists.frrouting.org