Skip to content

bgpd: Do not crash if we receive a next-hop length not as expected for NHC (backport #20367)#20370

Merged
riw777 merged 1 commit intostable/10.5from
mergify/bp/stable/10.5/pr-20367
Jan 6, 2026
Merged

bgpd: Do not crash if we receive a next-hop length not as expected for NHC (backport #20367)#20370
riw777 merged 1 commit intostable/10.5from
mergify/bp/stable/10.5/pr-20367

Conversation

@mergify
Copy link

@mergify mergify bot commented Jan 6, 2026

This is an automatic backport of pull request #20367 done by [Mergify](https://mergify.com).

@ton31337 @mergify
bgpd: Do not crash if we receive a next-hop length not as expected fo…
b5b7256 
…r NHC

Or NHC attribute length is too short.

==4==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x581cb1a0adba bp 0x7fff9d3d7fb0 sp 0x7fff9d3d7f80 T0)
==4==The signal is caused by a READ memory access.
==4==Hint: address points to the zero page.
    0 0x581cb1a0adba in bgp_nhc_free /tmp/frr/bgpd/bgp_nhc.c:79:25
    1 0x581cb1774f37 in bgp_attr_nhc /tmp/frr/bgpd/bgp_attr.c:3790:3
    2 0x581cb1774f37 in bgp_attr_parse /tmp/frr/bgpd/bgp_attr.c:4352:10
    3 0x581cb1887316 in bgp_update_receive /tmp/frr/bgpd/bgp_packet.c:2414:20
    4 0x581cb1887316 in bgp_process_packet /tmp/frr/bgpd/bgp_packet.c:4089:11
    5 0x7874a9b1da3f in event_call /tmp/frr/lib/event.c:2730:2
    6 0x7874a9a2cbc7 in frr_run /tmp/frr/lib/libfrr.c:1258:3
    7 0x581cb1762033 in main /tmp/frr/bgpd/bgp_main.c:548:2
    8 0x7874a938bd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    9 0x7874a938be3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 4f7b0c955c3d81d7cac1501a2498b69d1d82bfe7)
    10 0x581cb16a3724 in _start (/usr/sbin/bgpd+0x34e724) (BuildId: 26dc7916b6dcfa8cfe8cac8b1205bed10f4bb5bd)

Found-by: Evan Custodio (Amazon)
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
(cherry picked from commit 972fff7)
@mergify mergify bot mentioned this pull request Jan 6, 2026
Merged
@frrbot frrbot bot added the bgp label Jan 6, 2026
@riw777 riw777 merged commit e02c286 into stable/10.5 Jan 6, 2026
20 of 21 checks passed
@Jafaral Jafaral deleted the mergify/bp/stable/10.5/pr-20367 branch January 27, 2026 16:51
@mattiaswal mattiaswal mentioned this pull request Mar 18, 2026
Merged
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bgp size/XS stable/10.5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@riw777 @ton31337