From 297e8cfc106fe9b81a4d3ac80c8daf5157e26e06 Mon Sep 17 00:00:00 2001 From: Philippe Guibert Date: Fri, 8 Mar 2024 14:05:43 +0100 Subject: [PATCH] zebra: fix crash when encapsulating a segment-list with 1 SID A crash happens when an SRTE creates a seg6local route with the end.b6.encaps operation. The crash is related to a segment-list with one segment only. There would have not been any crashes if at least two segments were present. The proposed fix does prevent from configuring a seg6local route if a segment-list has only one element. Fixes: 13a1297ec83f ("zebra: add end.b6.encaps to rt_netlink") Signed-off-by: Philippe Guibert Signed-off-by: Dmytro Shytyi --- lib/nexthop.c | 1 + zebra/rt_netlink.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/nexthop.c b/lib/nexthop.c index fce4d39e0085..7d40d9fe03ab 100644 --- a/lib/nexthop.c +++ b/lib/nexthop.c @@ -899,6 +899,7 @@ void nexthop_copy_no_recurse(struct nexthop *copy, if (nexthop->nh_srv6) { if (nexthop->nh_srv6->seg6local_action == ZEBRA_SEG6_LOCAL_ACTION_END_B6_ENCAP && + nexthop->nh_srv6->seg6_segs && nexthop->nh_srv6->seg6_segs->num_segs > 1) nexthop_add_srv6_seg6local(copy, nexthop->nh_srv6 diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c index 3dbe516e964e..d065a2fe2e00 100644 --- a/zebra/rt_netlink.c +++ b/zebra/rt_netlink.c @@ -2679,7 +2679,7 @@ static ssize_t fill_srh_end_b6_encaps(char *buffer, size_t buflen, size_t srhlen; int i; - if (segs->num_segs > SRV6_MAX_SEGS) { + if (!segs || segs->num_segs > SRV6_MAX_SEGS) { /* Exceeding maximum supported SIDs */ return -1; } @@ -2717,6 +2717,8 @@ static int netlink_nexthop_msg_encode_end_b6_encaps(struct buf_req *req, return 0; srh_len = fill_srh_end_b6_encaps(srh_buf, sizeof(srh_buf), nh->nh_srv6->seg6_segs); + if (srh_len < 0) + return 0; if (!nl_attr_put(&req->n, buflen, SEG6_LOCAL_SRH, srh_buf, srh_len)) return 0; return 1;