Skip to content

bgpd: Do not crash if we receive a next-hop length not as expected for NHC#20367

Merged
donaldsharp merged 1 commit intoFRRouting:masterfrom
opensourcerouting:fix/nhc_null
Jan 6, 2026
Merged

bgpd: Do not crash if we receive a next-hop length not as expected for NHC#20367
donaldsharp merged 1 commit intoFRRouting:masterfrom
opensourcerouting:fix/nhc_null

Conversation

@ton31337
Copy link
Member

@ton31337 ton31337 commented Jan 5, 2026

No description provided.

@ton31337
bgpd: Do not crash if we receive a next-hop length not as expected fo…
972fff7 
…r NHC

Or NHC attribute length is too short.

==4==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x581cb1a0adba bp 0x7fff9d3d7fb0 sp 0x7fff9d3d7f80 T0)
==4==The signal is caused by a READ memory access.
==4==Hint: address points to the zero page.
    0 0x581cb1a0adba in bgp_nhc_free /tmp/frr/bgpd/bgp_nhc.c:79:25
    1 0x581cb1774f37 in bgp_attr_nhc /tmp/frr/bgpd/bgp_attr.c:3790:3
    2 0x581cb1774f37 in bgp_attr_parse /tmp/frr/bgpd/bgp_attr.c:4352:10
    3 0x581cb1887316 in bgp_update_receive /tmp/frr/bgpd/bgp_packet.c:2414:20
    4 0x581cb1887316 in bgp_process_packet /tmp/frr/bgpd/bgp_packet.c:4089:11
    5 0x7874a9b1da3f in event_call /tmp/frr/lib/event.c:2730:2
    6 0x7874a9a2cbc7 in frr_run /tmp/frr/lib/libfrr.c:1258:3
    7 0x581cb1762033 in main /tmp/frr/bgpd/bgp_main.c:548:2
    8 0x7874a938bd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    9 0x7874a938be3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    10 0x581cb16a3724 in _start (/usr/sbin/bgpd+0x34e724) (BuildId: 26dc7916b6dcfa8cfe8cac8b1205bed10f4bb5bd)

Found-by: Evan Custodio (Amazon)
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
@frrbot frrbot bot added the bgp label Jan 5, 2026
@ton31337
Copy link
Member Author

ton31337 commented Jan 6, 2026

@Mergifyio backport stable/10.5 stable/10.4

@mergify
Copy link

mergify bot commented Jan 6, 2026
edited
Loading

backport stable/10.5 stable/10.4

✅ Backports have been created

Details

@donaldsharp donaldsharp merged commit d29b704 into FRRouting:master Jan 6, 2026
21 checks passed
This was referenced Jan 6, 2026
Merged
Merged
@ton31337 ton31337 deleted the fix/nhc_null branch January 6, 2026 12:21
riw777 added a commit that referenced this pull request Jan 6, 2026
@riw777
Merge pull request #20370 from FRRouting/mergify/bp/stable/10.5/pr-20367
e02c286 
bgpd: Do not crash if we receive a next-hop length not as expected for NHC (backport #20367)
riw777 added a commit that referenced this pull request Jan 6, 2026
@riw777
Merge pull request #20371 from FRRouting/mergify/bp/stable/10.4/pr-20367
99009f2 
bgpd: Do not crash if we receive a next-hop length not as expected for NHC (backport #20367)
@mattiaswal mattiaswal mentioned this pull request Mar 18, 2026
Merged
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport bgp master size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ton31337 @donaldsharp