Skip to content

babeld: fix NULL pointer dereference in babel_clean_routing_process (backport #20727)#20850

Merged
donaldsharp merged 1 commit intostable/10.5from
mergify/bp/stable/10.5/pr-20727
Feb 16, 2026
Merged

babeld: fix NULL pointer dereference in babel_clean_routing_process (backport #20727)#20850
donaldsharp merged 1 commit intostable/10.5from
mergify/bp/stable/10.5/pr-20727

Conversation

@mergify
Copy link

@mergify mergify bot commented Feb 16, 2026

When babeld receives an exit signal (SIGINT/SIGTERM) during shutdown or when babel_routing_process is NULL (never initialized or already freed), the program crashes with SIGSEGV due to a NULL pointer dereference in babel_clean_routing_process(). The function accesses babel_routing_process->t_read and babel_routing_process->t_update without checking if babel_routing_process is NULL first.

This can occur when:

  1. The program receives an exit signal before babel_routing_process is fully initialized
  2. babel_routing_process initialization fails but the cleanup function is still called
  3. The cleanup function is called multiple times
#0  __pthread_kill_implementation (no_tid=0, signo=11, threadid=140251119745472)
    at ./nptl/pthread_kill.c:44
#1  __pthread_kill_internal (signo=11, threadid=140251119745472)
    at ./nptl/pthread_kill.c:78
#2  __GI___pthread_kill (threadid=140251119745472, signo=signo@entry=11)
    at ./nptl/pthread_kill.c:89
#3  0x00007f8ec27a0476 in __GI_raise (sig=sig@entry=11)
    at ../sysdeps/posix/raise.c:26
#4  0x00007f8ec2b23836 in core_handler (signo=11, siginfo=0x7ffd37d9db70,
    context=<optimized out>) at lib/sigevent.c:268
#5  <signal handler called>
#6  0x00007f8ec2b3ebdd in event_cancel (thread=0x8) at lib/event.c:1456
#7  0x000063ee3c9e7a3e in babel_clean_routing_process ()
    at babeld/babeld.c:320
#8  0x000063ee3c9e4636 in babel_exit_properly () at babeld/babel_main.c:306
#9  babel_sigexit () at babeld/babel_main.c:92
#10 0x00007f8ec2b23cca in frr_sigevent_process () at lib/sigevent.c:117
#11 0x00007f8ec2b3f93d in event_fetch (m=m@entry=0x63ee60c108a0,
    fetch=fetch@entry=0x7ffd37d9e9b0) at lib/event.c:1742
#12 0x00007f8ec2ab85d3 in frr_run (loop=0x63ee60c108a0) at lib/libfrr.c:1249
#13 0x000063ee3c9de8bb in main (argc=12, argv=0x7ffd37d9ec08)
    at babeld/babel_main.c:205
```<hr>This is an automatic backport of pull request #20727 done by [Mergify](https://mergify.com).

@mergify
babeld: fix NULL pointer dereference in babel_clean_routing_process
bdffbe1 
When babeld receives an exit signal (SIGINT/SIGTERM) during shutdown or when `babel_routing_process` is NULL (never initialized or already freed), the program crashes with SIGSEGV due to a NULL pointer dereference in `babel_clean_routing_process()`. The function accesses `babel_routing_process->t_read` and `babel_routing_process->t_update` without checking if `babel_routing_process` is NULL first.

This can occur when:
1. The program receives an exit signal before `babel_routing_process` is fully initialized
2. `babel_routing_process` initialization fails but the cleanup function is still called
3. The cleanup function is called multiple times

Fix: Add early return if babel_routing_process is NULL, and set it to NULL after freeing to prevent double-free issues.

Signed-off-by: LyZephyr <yunzheli@smail.nju.edu.cn>
(cherry picked from commit cb76f18)
@greptile-apps
Copy link

greptile-apps bot commented Feb 16, 2026

Target branch is not in the allowed branches list.

@mergify mergify bot mentioned this pull request Feb 16, 2026
Merged
@donaldsharp donaldsharp merged commit 2152ffe into stable/10.5 Feb 16, 2026
23 checks passed
@mergify mergify bot deleted the mergify/bp/stable/10.5/pr-20727 branch February 16, 2026 12:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

babel bugfix size/XS stable/10.5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@donaldsharp