frr
frr copied to clipboard
FRRouting
BGPd: member access within null pointer of type 'struct lysc_node_action'
Description
There is a bug in bgpd, i.e., member access within null pointer of type 'struct lysc_node_action'
lib/yang.c:253:3: runtime error: member access within null pointer of type 'struct lysc_node_action'
#0 0x7fc6025ac167 in yang_snodes_iterate lib/yang.c:253
#1 0x7fc6023f919b in nb_init lib/northbound.c:2721
#2 0x7fc60231d815 in frr_init lib/libfrr.c:823
#3 0x557985445180 in main bgpd/bgp_main.c:513
#4 0x7fc600bcc082 in __libc_start_main ../csu/libc-start.c:308
#5 0x55798543f67d in _start (/home/ubuntu/experiments/frr-crashreplay/bgpd/.libs/bgpd+0xdab67d)
BGP: Received signal 6 at 1725594545 (si_addr 0x20, PC 0x7fc600beb00b); aborting...
BGP: /lib/x86_64-linux-gnu/libasan.so.5(+0x6cd40) [0x7fc60318bd40]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(zlog_backtrace_sigsafe+0x236) [0x7fc60235e8e0]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(zlog_signal+0x4ac) [0x7fc60235e149]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(+0xabde87) [0x7fc6024d8e87]
BGP: /lib/x86_64-linux-gnu/libpthread.so.0(+0x14420) [0x7fc600dae420]
BGP: /lib/x86_64-linux-gnu/libc.so.6(gsignal+0xcb) [0x7fc600beb00b]
BGP: /lib/x86_64-linux-gnu/libc.so.6(abort+0x12b) [0x7fc600bca859]
BGP: /lib/x86_64-linux-gnu/libubsan.so.1(+0x1d592) [0x7fc600dda592]
BGP: /lib/x86_64-linux-gnu/libubsan.so.1(+0x28c6c) [0x7fc600de5c6c]
BGP: /lib/x86_64-linux-gnu/libubsan.so.1(+0x8419) [0x7fc600dc5419]
BGP: /lib/x86_64-linux-gnu/libubsan.so.1(+0xba21) [0x7fc600dc8a21]
BGP: /lib/x86_64-linux-gnu/libubsan.so.1(__ubsan_handle_type_mismatch_v1+0x25) [0x7fc600dc9d45]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(yang_snodes_iterate+0x4c2) [0x7fc6025ac168]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(nb_init+0x87b) [0x7fc6023f919c]
BGP: /home/ubuntu/experiments/frr-crashreplay/lib/.libs/libfrr.so.0(frr_init+0x1a2d) [0x7fc60231d816]
BGP: /home/ubuntu/experiments/frr-crashreplay/bgpd/.libs/bgpd(main+0x54b) [0x557985445181]
BGP: /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf3) [0x7fc600bcc083]
BGP: /home/ubuntu/experiments/frr-crashreplay/bgpd/.libs/bgpd(_start+0x2e) [0x55798543f67e]
BGP: no thread information available
core_handler: showing active allocations in memory group libfrr
core_handler: memstats: Host config : 5 * (variably sized)
core_handler: memstats: Command Tokens : 999 * 72
core_handler: memstats: Command Token Text : 798 * (variably sized)
core_handler: memstats: Command Token Help : 798 * (variably sized)
core_handler: memstats: Command Argument Name : 204 * (variably sized)
core_handler: memstats: Scripting : 14 * (variably sized)
core_handler: memstats: Graph : 9 * 8
core_handler: memstats: Graph Node : 1189 * 32
core_handler: memstats: Hash : 22 * (variably sized)
core_handler: memstats: Hash Bucket : 252 * 24
core_handler: memstats: Hash Index : 11 * (variably sized)
core_handler: memstats: Link List : 6 * 40
core_handler: memstats: Link Node : 15 * 24
core_handler: memstats: Northbound Node : 58 * 1208
core_handler: memstats: Privilege information : 2 * (variably sized)
core_handler: memstats: Thread master : 4 * (variably sized)
core_handler: memstats: Thread Poll Info : 2 * 800000
core_handler: memstats: Vector : 2397 * 24
core_handler: memstats: Vector index : 2397 * (variably sized)
core_handler: memstats: YANG module : 5 * 48
core_handler: showing active allocations in memory group Native message allocations
core_handler: showing active allocations in memory group logging subsystem
core_handler: showing active allocations in memory group bgpd
core_handler: showing active allocations in memory group rfapi
Aborted
Version
commit 340d51fc3a9c88b4db38c685cf87ab9970db060a
How to reproduce
- Build
./bootstrap.sh && \
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--sbindir=${WORKDIR}/frr/bin \
--enable-static \
--enable-dev-build \
--enable-address-sanitizer \
--enable-undefined-sanitizer \
--enable-mgmtd-test-be-client \
--enable-rpki \
--enable-sharpd \
--enable-multipath=64 \
--enable-user=root \
--enable-group=root \
--enable-config-rollbacks \
--enable-grpc \
--enable-snmp=agentx \
--enable-scripting \
--with-pkg-extra-version=-my-manual-build && \
make -j4
- Run
Run zebra and mgmtd separately as background program, using commands
./mgmtd/mgmtd --limit-fds 100000and./zebra/zebra --limit-fds 100000
Then, run bgpd
./bgpd/bgpd --limit-fds 100000 -p 179 -f /etc/bgpd.conf -l 127.0.0.1
bgpd.conf:
log stdout debugging
!debug bgp events
!debug bgp filters
!debug bgp fsm
debug bgp keepalives
debug bgp neighbor-events
debug bgp updates
router bgp 65001
bgp router-id 10.0.255.6
neighbor 10.0.255.5 remote-as 64512
neighbor 10.0.255.5 timers 1 3
!neighbor 10.0.255.5 extended-optional-parameters
neighbor 10.0.255.5 graceful-restart
neighbor 10.0.255.5 route-reflector-client
neighbor 10.0.255.5 addpath-tx-all-paths
neighbor 10.0.255.5 nexthop-unchanged
neighbor 10.0.255.5 capability dynamic
neighbor 10.0.255.5 graceful-shutdown
neighbor 10.0.255.5 capability orf prefix-list
neighbor 10.0.255.5 route-target filter
neighbor 10.0.255.5 capability additional-paths send
address-family ipv4 unicast
neighbor 10.0.255.5 activate
neighbor 10.0.255.5 route-map EXPORT out
neighbor 10.0.255.5 route-map IMPORT in
exit-address-family
route-map EXPORT permit 10
match interface eth1
!
route-map EXPORT deny 100
!
route-map IMPORT permit 10
!
line vty
!
Expected behavior
No crash
Actual behavior
Crash
Additional context
No response
Checklist
- [X] I have searched the open issues for this bug.
- [X] I have not included sensitive information in this report.
@ton31337 I've run zebra and mgmtd separately as background program, using commands ./mgmtd/mgmtd --limit-fds 100000 and ./zebra/zebra --limit-fds 100000. The issue mentioned above still occurs.
@ton31337 Hi. Recently I've been learning frr and mainly focusing on debugging bgpd. But, I found that the daemon is very slow, especially for the startup. I'm not sure whether I turn on some features that are not directly to bgpd, e.g., configure in the building time or the bgpd.conf (my recent enables are as above). Could you please give me some advice about turning off some unnecessary features? Thanks.
@MPFuzz sounds like you are trying to do fuzzing stuff. There is already a framework for bgp to do this. Please look at the fuzz branch. It's a bit out of date but you can update it to latest master with out much work imo. In any event this is not the correct place to have this sort of discussion in an unrelated issue. Please feel free to either join us in our slack and start asking questions or open a relevant discussion for this.
@donaldsharp Sorry. I will join for discussion. Look forward to merging this pr to master so that I can do more fuzzing!
This issue is stale because it has been open 180 days with no activity. Comment or remove the autoclose label in order to avoid having this issue closed.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue will be automatically closed in the specified period unless there is further activity.
![frrbot[bot] avatar](https://avatars.githubusercontent.com/in/136408?v=4 "Published by a pub.dev verified publisher"){kind=small}