yang: In some special configure，the command [show yang operational-data /frr-vrf:lib zebra] leads to segmentfault error

[qing8717]

Describe the bug

In some special configure，the command “show yang operational-data /frr-vrf:lib zebra” leads to segmentfault error

• [ x] Did you check if this is a duplicate issue?
• [ x] Did you test it on the latest FRRouting/frr master branch?

To Reproduce

1.Import frr-vrf.yang ;2
2.create vrf in the kernel shell:
ip link add dev test type vrf table 10
ip link set test up
3.Import the xml following:

<lib xmlns="http://frrouting.org/yang/vrf">
	<vrf>
		<name>default</name>
	</vrf>
	<vrf>
		<name>test</name>
	</vrf>
	<vrf>
		<name>vrf</name>
	</vrf>
</lib>

4.And do the command “show yang operational-data /frr-vrf:libzebra”;

Expected behavior

Screenshots

Versions

• OS Version:
  Ubuntu 20.04.1
• Kernel:
  5.15.0-60-generic
• FRR Version:frr version 9.0-dev-MyOwnFRRVersion

root@ubuntu:# gdb /usr/lib/frr/zebra
GNU gdb (Ubuntu 9.2-0ubuntu120.04.1) 9.2
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/lib/frr/zebra...
(gdb) set args -F traditional -A 127.0.0.1 -s 90000000 --asic-offload=notify_on_offload -M dplane_fpm_nl -M sysrepo --log stdout --log-level debug
(gdb) c
The program is not being run.
(gdb) r
Starting program: /usr/lib/frr/zebra -F traditional -A 127.0.0.1 -s 90000000 --asic-offload=notify_on_offload -M dplane_fpm_nl -M sysrepo --log stdout --log-level debug
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
2023/03/17 00:57:04 ZEBRA: [X0AM3-MRSP8] can't setsockopt NETLINK_ADD_MEMBERSHIP for group RTNLGRP_TUNNEL(34), this linux kernel does not support it: Invalid argument(22)
[New Thread 0x7ffff76fb700 (LWP 472475)]
[New Thread 0x7ffff6efa700 (LWP 472476)]
[New Thread 0x7ffff65f8700 (LWP 472477)]
[New Thread 0x7ffff5df7700 (LWP 472478)]
2023/03/17 00:57:04 ZEBRA: [T83RR-8SM5G] zebra 9.0-dev-MyOwnFRRVersion-gbed786711-dirty starting: vty@2601

Thread 1 "zebra" received signal SIGSEGV, Segmentation fault.
lib_vrf_zebra_ribs_rib_get_next (args=0x7fffffff6120) at zebra/zebra_nb_state.c:164
164 zrt = zebra_router_find_zrt(zvrf, zvrf->table_id, afi, safi);
(gdb) bt
#0 lib_vrf_zebra_ribs_rib_get_next (args=0x7fffffff6120) at zebra/zebra_nb_state.c:164
#1 0x00007ffff7eaf634 in nb_callback_get_next (nb_node=nb_node@entry=0x5555558b8f30, parent_list_entry=parent_list_entry@entry=0x55555580f290, list_entry=list_entry@entry=0x0)
at lib/northbound.c:1269
#2 0x00007ffff7eafab0 in nb_oper_data_iter_list (parent_list_keys=0x7fffffff65d0, arg=0x555555cc7710, cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>, flags=0, translator=0x0,
parent_list_entry=0x55555580f290, xpath_list=0x7fffffff65d0 "/frr-vrf:lib/vrf[name='vrf']/frr-zebra:zebra/ribs/rib", nb_node=) at lib/northbound.c:1741
#3 nb_oper_data_iter_node (snode=snode@entry=0x5555558865b0, xpath_parent=xpath_parent@entry=0x7fffffff7700 "/frr-vrf:lib/vrf[name='vrf']/frr-zebra:zebra/ribs",
list_entry=list_entry@entry=0x55555580f290, list_keys=list_keys@entry=0x7fffffff9550, translator=translator@entry=0x0, first=first@entry=false, flags=0,
cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>, arg=0x555555cc7710) at lib/northbound.c:1846
#4 0x00007ffff7eafdde in nb_oper_data_iter_children (snode=snode@entry=0x555555828b70, xpath=xpath@entry=0x7fffffff7700 "/frr-vrf:lib/vrf[name='vrf']/frr-zebra:zebra/ribs",
list_entry=list_entry@entry=0x55555580f290, list_keys=list_keys@entry=0x7fffffff9550, translator=translator@entry=0x0, flags=flags@entry=0, cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>,
arg=0x555555cc7710, first=false) at lib/northbound.c:1609
#5 0x00007ffff7eafc3c in nb_oper_data_iter_node (snode=snode@entry=0x555555828b70, xpath_parent=xpath_parent@entry=0x7fffffff8830 "/frr-vrf:lib/vrf[name='vrf']/frr-zebra:zebra",
list_entry=list_entry@entry=0x55555580f290, list_keys=list_keys@entry=0x7fffffff9550, translator=translator@entry=0x0, first=first@entry=false, flags=0,
cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>, arg=0x555555cc7710) at lib/northbound.c:1851
#6 0x00007ffff7eafdde in nb_oper_data_iter_children (snode=snode@entry=0x555555828df0, xpath=xpath@entry=0x7fffffff8830 "/frr-vrf:lib/vrf[name='vrf']/frr-zebra:zebra",
list_entry=list_entry@entry=0x55555580f290, list_keys=list_keys@entry=0x7fffffff9550, translator=translator@entry=0x0, flags=flags@entry=0, cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>,
arg=0x555555cc7710, first=false) at lib/northbound.c:1609
#7 0x00007ffff7eafc3c in nb_oper_data_iter_node (snode=snode@entry=0x555555828df0, xpath_parent=xpath_parent@entry=0x7fffffff9d60 "/frr-vrf:lib/vrf[name='vrf']",
list_entry=list_entry@entry=0x55555580f290, list_keys=list_keys@entry=0x7fffffff9550, translator=translator@entry=0x0, first=first@entry=false, flags=0,
cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>, arg=0x555555cc7710) at lib/northbound.c:1851
#8 0x00007ffff7eafdde in nb_oper_data_iter_children (snode=, xpath=xpath@entry=0x7fffffff9d60 "/frr-vrf:lib/vrf[name='vrf']", list_entry=list_entry@entry=0x55555580f290,
list_keys=list_keys@entry=0x7fffffff9550, translator=translator@entry=0x0, flags=flags@entry=0, cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>, arg=0x555555cc7710, first=false)
at lib/northbound.c:1609
#9 0x00007ffff7eafa94 in nb_oper_data_iter_list (parent_list_keys=0x1, arg=0x555555cc7710, cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>, flags=0, translator=0x0, parent_list_entry=0x0,
xpath_list=0x7fffffff9960 "/frr-vrf:lib/vrf", nb_node=) at lib/northbound.c:1780
#10 nb_oper_data_iter_node (snode=snode@entry=0x555555888700, xpath_parent=xpath_parent@entry=0x7fffffffaa90 "/frr-vrf:lib", list_entry=list_entry@entry=0x0,
list_keys=list_keys@entry=0x7fffffffb750, translator=translator@entry=0x0, first=first@entry=false, flags=0, cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>, arg=0x555555cc7710)
at lib/northbound.c:1846
#11 0x00007ffff7eafdde in nb_oper_data_iter_children (snode=snode@entry=0x555555828a60, xpath=xpath@entry=0x7fffffffaa90 "/frr-vrf:lib", list_entry=list_entry@entry=0x0,
list_keys=list_keys@entry=0x7fffffffb750, translator=translator@entry=0x0, flags=flags@entry=0, cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>, arg=0x555555cc7710, first=false)
at lib/northbound.c:1609
#12 0x00007ffff7eafc3c in nb_oper_data_iter_node (snode=, xpath_parent=xpath_parent@entry=0x555555ca1250 "/frr-vrf:lib", list_entry=list_entry@entry=0x0,
list_keys=list_keys@entry=0x7fffffffb750, translator=translator@entry=0x0, first=first@entry=true, flags=0, cb=0x7ffff7eb35b0 <nb_cli_oper_data_cb>, arg=0x555555cc7710)
at lib/northbound.c:1851
#13 0x00007ffff7eb0373 in nb_oper_data_iterate (xpath=xpath@entry=0x555555ca1250 "/frr-vrf:lib", translator=translator@entry=0x0, flags=flags@entry=0,
cb=cb@entry=0x7ffff7eb35b0 <nb_cli_oper_data_cb>, arg=0x555555cc7710) at lib/northbound.c:1966
#14 0x00007ffff7eb43ad in show_yang_operational_data_magic (self=, argc=, argv=, json=, with_config=0x0, translator_family=0x0,
xml=, xpath=0x555555ca1250 "/frr-vrf:lib", vty=0x555555b18900) at lib/northbound_cli.c:1490
#15 show_yang_operational_data (self=, vty=0x555555b18900, argc=, argv=) at ./lib/northbound_cli_clippy.c:906
#16 0x00007ffff7e7521e in cmd_execute_command_real (vline=vline@entry=0x555555ca1ec0, vty=vty@entry=0x555555b18900, cmd=cmd@entry=0x0, up_level=up_level@entry=0, filter=FILTER_RELAXED)
at lib/command.c:988
#17 0x00007ffff7e7537e in cmd_execute_command (vline=vline@entry=0x555555c9e020, vty=vty@entry=0x555555b18900, cmd=0x0, vtysh=vtysh@entry=0) at lib/command.c:1038
#18 0x00007ffff7e75560 in cmd_execute (vty=vty@entry=0x555555b18900, cmd=cmd@entry=0x555555b1fce0 "do show yang operational-data /frr-vrf:lib", matched=matched@entry=0x0, vtysh=vtysh@entry=0)
at lib/command.c:1215
#19 0x00007ffff7ee81ee in vty_command (vty=vty@entry=0x555555b18900, buf=) at lib/vty.c:505
#20 0x00007ffff7ee842d in vty_execute (vty=0x555555b18900) at lib/vty.c:1268
#21 0x00007ffff7eeb250 in vtysh_read (thread=) at lib/vty.c:2167
#22 0x00007ffff7ee2b81 in thread_call (thread=thread@entry=0x7fffffffe110) at lib/thread.c:1991
#23 0x00007ffff7e9a998 in frr_run (master=0x555555765ba0) at lib/libfrr.c:1185
#24 0x00005555555dc72e in main (argc=16, argv=0x7fffffffe518) at zebra/main.c:465

[qing8717]

I found the bug is a NULL point in the function lib_vrf_zebra_ribs_rib_get_next:
struct vrf *vrf = (struct vrf *)args->parent_list_entry;
struct zebra_router_table *zrt =
(struct zebra_router_table *)args->list_entry;

struct zebra_vrf *zvrf;
afi_t afi;
safi_t safi;

zvrf = zebra_vrf_lookup_by_id(vrf->vrf_id);
if (zvrf == NULL)   // should to be added
	return NULL; //should to be added

if (args->list_entry == NULL) {
	afi = AFI_IP;
	safi = SAFI_UNICAST;
   zrt = zebra_router_find_zrt(zvrf, zvrf->table_id, afi, safi);

[donaldsharp]

well if the vrf pointer has an invalid vrf_id. Something terrible has gone wrong and just returning a NULL value there may prevent the crash there but it will happen again. Can you give us your config as well?

[qing8717]

OK, my pleasure!
1> I added a vrf name test in OS:
ip link add dev test type vrf table 10
ip link set test up
2> I imported the XML by sysrepocfg:
sysrepocfg --format=xml --import=/home/sr/frr_dev/vrf.xml --datastore=running

<lib xmlns="http://frrouting.org/yang/vrf">
	<vrf>
		<name>default</name>
	</vrf>
	<vrf>
		<name>test</name>
	</vrf>
	<vrf>
		<name>vrf</name>
	</vrf>
</lib>

[github-actions]

This issue is stale because it has been open 180 days with no activity. Comment or remove the autoclose label in order to avoid having this issue closed.

[frrbot]

This issue will be automatically closed in the specified period unless there is further activity.