bgpd: bmp, fix address sanitizer issue

The following ASAN error can be seen.

> ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x608000036c20
>     #0 0x7f3d7a4b5425 in __interceptor_malloc_usable_size ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:198
>     #1 0x7f3d7a426a16 in __sanitizer::BufferedStackTrace::Unwind(unsigned long, unsigned long, void*, bool, unsigned int) ../../../../src/libsanitizer/sanitizer_common
> /sanitizer_stacktrace.h:122
>     #2 0x7f3d7a426a16 in __asan::asan_malloc_usable_size(void const*, unsigned long, unsigned long) ../../../../src/libsanitizer/asan/asan_allocator.cpp:1074
>     #3 0x7f3d7a03f330 in mt_count_free lib/memory.c:78
>     #4 0x7f3d7a03f330 in qfree lib/memory.c:130
>     #5 0x7f3d76ccf89b in bmp_peer_status_changed bgpd/bgp_bmp.c:982
>     #6 0x560ae2aa6a94 in hook_call_peer_status_changed bgpd/bgp_fsm.c:47
>     #7 0x560ae2aa6a94 in bgp_fsm_change_status bgpd/bgp_fsm.c:1287
>     #8 0x560ae2c4f2e5 in peer_delete bgpd/bgpd.c:2777
>     #9 0x560ae2c58d24 in bgp_delete bgpd/bgpd.c:4140
>     #10 0x560ae2bbb47e in no_router_bgp bgpd/bgp_vty.c:1764
>     #11 0x7f3d79fb74ed in cmd_execute_command_real lib/command.c:1003
>     #12 0x7f3d79fb78a3 in cmd_execute_command lib/command.c:1062
>     #13 0x7f3d79fb7e03 in cmd_execute lib/command.c:1228
>     #14 0x7f3d7a107b53 in vty_command lib/vty.c:625
>     #15 0x7f3d7a109902 in vty_execute lib/vty.c:1388
>     #16 0x7f3d7a10cc32 in vtysh_read lib/vty.c:2400
>     #17 0x7f3d7a0f848b in event_call lib/event.c:2019
>     #18 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232
>     #19 0x560ae29e0037 in main bgpd/bgp_main.c:555
>     #20 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>     #21 0x7f3d79a29e3f in __libc_start_main_impl ../csu/libc-start.c:392
>     #22 0x560ae29e4ef4 in _start (/usr/lib/frr/bgpd+0x2eeef4)
>
> 0x608000036c20 is located 0 bytes inside of 81-byte region [0x608000036c20,0x608000036c71)
> freed by thread T0 here:
>     #0 0x7f3d7a4b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
>     #1 0x7f3d76ccf85f in bmp_peer_status_changed bgpd/bgp_bmp.c:981
>     #2 0x560ae2aa6a94 in hook_call_peer_status_changed bgpd/bgp_fsm.c:47
>     #3 0x560ae2aa6a94 in bgp_fsm_change_status bgpd/bgp_fsm.c:1287
>     #4 0x560ae2c4f2e5 in peer_delete bgpd/bgpd.c:2777
>     #5 0x560ae2c58d24 in bgp_delete bgpd/bgpd.c:4140
>     #6 0x560ae2bbb47e in no_router_bgp bgpd/bgp_vty.c:1764
>     #7 0x7f3d79fb74ed in cmd_execute_command_real lib/command.c:1003
>     #8 0x7f3d79fb78a3 in cmd_execute_command lib/command.c:1062
>     #9 0x7f3d79fb7e03 in cmd_execute lib/command.c:1228
>     #10 0x7f3d7a107b53 in vty_command lib/vty.c:625
>     #11 0x7f3d7a109902 in vty_execute lib/vty.c:1388
>     #12 0x7f3d7a10cc32 in vtysh_read lib/vty.c:2400
>     #13 0x7f3d7a0f848b in event_call lib/event.c:2019
>     #14 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232
>     #15 0x560ae29e0037 in main bgpd/bgp_main.c:555
>     #16 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
>
> previously allocated by thread T0 here:
>     #0 0x7f3d7a4b4887 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
>     #1 0x7f3d7a03f0e9 in qmalloc lib/memory.c:101
>     #2 0x7f3d76cd0166 in bmp_bgp_peer_vrf bgpd/bgp_bmp.c:2194
>     #3 0x7f3d76cd0166 in bmp_bgp_update_vrf_status bgpd/bgp_bmp.c:2236
>     #4 0x7f3d76cd29b8 in bmp_vrf_state_changed bgpd/bgp_bmp.c:3479
>     #5 0x560ae2c45b34 in hook_call_bgp_instance_state bgpd/bgpd.c:88
>     #6 0x560ae2c4d158 in bgp_instance_up bgpd/bgpd.c:3936
>     #7 0x560ae29e5ed1 in bgp_vrf_enable bgpd/bgp_main.c:299
>     #8 0x7f3d7a0ff8b1 in vrf_enable lib/vrf.c:286
>     #9 0x7f3d7a0ff8b1 in vrf_enable lib/vrf.c:275
>     #10 0x7f3d7a12ab66 in zclient_vrf_add lib/zclient.c:2561
>     #11 0x7f3d7a12eb43 in zclient_read lib/zclient.c:4624
>     #12 0x7f3d7a0f848b in event_call lib/event.c:2019
>     #13 0x7f3d7a01e627 in frr_run lib/libfrr.c:1232
>     #14 0x560ae29e0037 in main bgpd/bgp_main.c:555
>     #15 0x7f3d79a29d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>

diff --git a/bgpd/bgp_bmp.c b/bgpd/bgp_bmp.c
index acc49cac943508fae8be6645d5416d38c8a94957..4065d867954dd38dc85baf9ec07c48ceb4a1e9cc 100644 (file)
--- a/bgpd/bgp_bmp.c
+++ b/bgpd/bgp_bmp.c
@@ -2017,7 +2017,8 @@ static void bmp_bgp_peer_vrf(struct bmp_bgp_peer *bbpeer, struct bgp *bgp)
        memcpy(bbpeer->open_rx, s->data, open_len);
 
        bbpeer->open_tx_len = open_len;
-       bbpeer->open_tx = bbpeer->open_rx;
+       bbpeer->open_tx = XMALLOC(MTYPE_BMP_OPEN, open_len);
+       memcpy(bbpeer->open_tx, s->data, open_len);
 
        stream_free(s);
 }