From 8d9df5cf047d27b305bb79c37021ac960002bd9f Mon Sep 17 00:00:00 2001
From: Louis Scalbert <louis.scalbert@6wind.com>
Date: Fri, 11 Apr 2025 17:21:49 +0200
Subject: [PATCH] bgpd: fix bgp_pbr_match memory leak

> Direct leak of 1144 byte(s) in 13 object(s) allocated from:
>     #0 0x7f3eedeb4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
>     #1 0x7f3eed86f8dd in qcalloc lib/memory.c:105
>     #2 0x55b32d236faf in bgp_pbr_match_alloc_intern bgpd/bgp_pbr.c:1074
>     #3 0x7f3eed817d79 in hash_get lib/hash.c:147
>     #4 0x55b32d242d9a in bgp_pbr_policyroute_add_to_zebra_unit bgpd/bgp_pbr.c:2486
>     #5 0x55b32d244436 in bgp_pbr_policyroute_add_to_zebra bgpd/bgp_pbr.c:2672
>     #6 0x55b32d245a05 in bgp_pbr_handle_entry bgpd/bgp_pbr.c:2843
>     #7 0x55b32d246912 in bgp_pbr_update_entry bgpd/bgp_pbr.c:2939
>     #8 0x55b32d3c7472 in bgp_zebra_announce bgpd/bgp_zebra.c:1618
>     #9 0x55b32d26e5e7 in bgp_process_main_one bgpd/bgp_route.c:3691
>     #10 0x55b32d26f77d in process_subq_other_route bgpd/bgp_route.c:3856
>     #11 0x55b32d2701ff in process_subq bgpd/bgp_route.c:3955
>     #12 0x55b32d27029f in meta_queue_process bgpd/bgp_route.c:3980
>     #13 0x7f3eed99fdd8 in work_queue_run lib/workqueue.c:282
>     #14 0x7f3eed97798e in event_call lib/event.c:2011
>     #15 0x7f3eed842ff1 in frr_run lib/libfrr.c:1216
>     #16 0x55b32d0a1a15 in main bgpd/bgp_main.c:545
>     #17 0x7f3eed229d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

Fixes: d114b0d739 ("bgpd: inject policy route entry from bgp into zebra pbr entries.")
Signed-off-by: Louis Scalbert <louis.scalbert@6wind.com>
---
 bgpd/bgp_pbr.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/bgpd/bgp_pbr.c b/bgpd/bgp_pbr.c
index ec4f19cccf..76d414a926 100644
--- a/bgpd/bgp_pbr.c
+++ b/bgpd/bgp_pbr.c
@@ -984,7 +984,12 @@ static void bgp_pbr_match_entry_hash_free(void *arg)
 	bgp_pbr_match_entry_free(bpme);
 }
 
-static void bgp_pbr_match_free(void *arg)
+static void bgp_pbr_match_free(struct bgp_pbr_match *bpm)
+{
+	XFREE(MTYPE_PBR_MATCH, bpm);
+}
+
+static void bgp_pbr_match_hash_free(void *arg)
 {
 	struct bgp_pbr_match *bpm;
 
@@ -1009,7 +1014,7 @@ static void bgp_pbr_match_free(void *arg)
 	}
 	hash_clean_and_free(&bpm->entry_hash, NULL);
 
-	XFREE(MTYPE_PBR_MATCH, bpm);
+	bgp_pbr_match_free(bpm);
 }
 
 static void *bgp_pbr_match_alloc_intern(void *arg)
@@ -1377,7 +1382,7 @@ struct bgp_pbr_match *bgp_pbr_match_iptable_lookup(vrf_id_t vrf_id,
 
 void bgp_pbr_cleanup(struct bgp *bgp)
 {
-	hash_clean_and_free(&bgp->pbr_match_hash, bgp_pbr_match_free);
+	hash_clean_and_free(&bgp->pbr_match_hash, bgp_pbr_match_hash_free);
 	hash_clean_and_free(&bgp->pbr_rule_hash, bgp_pbr_rule_free);
 	hash_clean_and_free(&bgp->pbr_action_hash, bgp_pbr_action_free);
 
@@ -1706,6 +1711,7 @@ static void bgp_pbr_flush_entry(struct bgp *bgp, struct bgp_pbr_action *bpa,
 			bpm->action = NULL;
 		}
 		hash_release(bgp->pbr_match_hash, bpm);
+		bgp_pbr_match_free(bpm);
 		/* XXX release pbr_match_action if not used
 		 * note that drop does not need to call send_pbr_action
 		 */
-- 
2.39.5