From d5cb2d9e41135a34baec3663a686e19eff0a316f Mon Sep 17 00:00:00 2001 From: Francois Dumontet Date: Fri, 1 Sep 2023 17:25:25 +0200 Subject: [PATCH 1/2] bgpd: fix crash in *bgpv2PeerErrorsTable following crash occurs: at ./nptl/pthread_kill.c:44 at ./nptl/pthread_kill.c:78 at ./nptl/pthread_kill.c:89 context=0x7ffd06d3d300) at /build/make-pkg/output/_packages/cp-routing/src/lib/sigevent.c:246 length=0x7ffd06d3da88, exact=1, var_len=0x7ffd06d3da90, write_method=) at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_snmp_bgp4v2.c:364 vp=vp@entry=0x7f7c88b584c0 , vp_len=vp_len@entry=102, ename=ename@entry=0x7f7c88b58440 , enamelen=enamelen@entry=8, name=name@entry=0x7f7c88b58480 , namelen=namelen@entry=7, iname=0x7ffd06d3e7b0, index_len=1, trapobj=0x7f7c88b53b80 , trapobjlen=6, sptrap=2 '\002') at /build/make-pkg/output/_packages/cp-routing/src/lib/agentx.c:382 vp_len=vp_len@entry=102, ename=ename@entry=0x7f7c88b58440 , enamelen=enamelen@entry=8, name=name@entry=0x7f7c88b58480 , namelen=namelen@entry=7, iname=0x7ffd06d3ec30, inamelen=16, trapobj=0x7f7c88b53b80 , trapobjlen=6, sptrap=2 '\002') at /build/make-pkg/output/_packages/cp-routing/src/lib/agentx.c:298 at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_snmp_bgp4v2.c:1496 at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_fsm.c:48 at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_fsm.c:1314 event=Receive_NOTIFICATION_message) at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_fsm.c:2665 at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_packet.c:3129 at /build/make-pkg/output/_packages/cp-routing/src/lib/event.c:1979 at /build/make-pkg/output/_packages/cp-routing/src/lib/libfrr.c:1213 at /build/make-pkg/output/_packages/cp-routing/src/bgpd/bgp_main.c:510 it's due to function bgpv2PeerErrorsTable returning return SNMP_STRING(msg_str); with msg_str NULL rather the string "" this commit avoid the issue. Signed-off-by: Francois Dumontet --- bgpd/bgp_debug.c | 4 ++-- bgpd/bgp_vty.c | 8 +++----- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/bgpd/bgp_debug.c b/bgpd/bgp_debug.c index 782245e51214..a5261d61455f 100644 --- a/bgpd/bgp_debug.c +++ b/bgpd/bgp_debug.c @@ -499,11 +499,11 @@ const char *bgp_notify_admin_message(char *buf, size_t bufsz, uint8_t *data, size_t datalen) { if (!data || datalen < 1) - return NULL; + return buf; uint8_t len = data[0]; if (!len || len > datalen - 1) - return NULL; + return buf; return zlog_sanitize(buf, bufsz, data + 1, len); } diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c index f6db3fb3650e..122642718b87 100644 --- a/bgpd/bgp_vty.c +++ b/bgpd/bgp_vty.c @@ -11202,11 +11202,9 @@ static void bgp_show_peer_reset(struct vty * vty, struct peer *peer, msgbuf, sizeof(msgbuf), (uint8_t *)peer->notify.data, peer->notify.length); - if (msg_str) - json_object_string_add( - json_peer, - "lastShutdownDescription", - msg_str); + json_object_string_add(json_peer, + "lastShutdownDescription", + msg_str); } } From b8f3f0b86ff3fae4a3e655811680bc11b18fd0e2 Mon Sep 17 00:00:00 2001 From: Francois Dumontet Date: Mon, 18 Sep 2023 13:55:08 +0200 Subject: [PATCH 2/2] bgpd: initialization in bgp_notify_admin_message function buffer buff is fully zeroed by a memset in bgp_notify_admin_message function Signed-off-by: Donatas Abraitis --- bgpd/bgp_debug.c | 1 + 1 file changed, 1 insertion(+) diff --git a/bgpd/bgp_debug.c b/bgpd/bgp_debug.c index a5261d61455f..123a1cacf3fe 100644 --- a/bgpd/bgp_debug.c +++ b/bgpd/bgp_debug.c @@ -498,6 +498,7 @@ const char *bgp_notify_subcode_str(char code, char subcode) const char *bgp_notify_admin_message(char *buf, size_t bufsz, uint8_t *data, size_t datalen) { + memset(buf, 0, bufsz); if (!data || datalen < 1) return buf;