bgpd: Fix infinite loop in MRT route dump for oversized paths

[ton31337]

No description provided.

[ton31337]

@Mergifyio backport stable/10.6 stable/10.5 stable/10.4 stable/10.3 stable/10.2

[mergify]

backport stable/10.6 stable/10.5 stable/10.4 stable/10.3 stable/10.2

✅ Backports have been created

Details

• #22106 bgpd: Fix infinite loop in MRT route dump for oversized paths (backport #22082) has been created for branch stable/10.6
• #22107 bgpd: Fix infinite loop in MRT route dump for oversized paths (backport #22082) has been created for branch stable/10.5
• #22108 bgpd: Fix infinite loop in MRT route dump for oversized paths (backport #22082) has been created for branch stable/10.4
• #22109 bgpd: Fix infinite loop in MRT route dump for oversized paths (backport #22082) has been created for branch stable/10.3
• #22110 bgpd: Fix infinite loop in MRT route dump for oversized paths (backport #22082) has been created for branch stable/10.2

[greptile-apps]

Greptile Summary

This PR fixes an infinite loop in bgp_dump_route_node_record that occurred when a single path's serialized size exceeded BGP_STANDARD_MESSAGE_MAX_PACKET_SIZE + BGP_DUMP_MSG_HEADER + BGP_DUMP_HEADER_SIZE. The caller's while (path) loop would call the function with the same oversized path indefinitely because the function returned without advancing path.

• When entry_count == 0 at the overflow check, the path is now advanced to path->next (with a flog_warn) before breaking, ensuring the caller always makes forward progress.
• A second guard after the loop returns early without calling fwrite when entry_count == 0, preventing a zero-entry MRT record from being emitted — directly addressing the concern raised in the previous review.

Confidence Score: 5/5

Safe to merge — both the infinite loop and the zero-entry record emission are correctly fixed with no new regressions introduced.

The two new guards are logically sound, tightly scoped, and correctly interlock: stream_reset at function entry means the partially-written obuf is harmlessly discarded on the next call, and the early return on entry_count == 0 means no corrupt record reaches the MRT file. The previous reviewer's concern about zero-entry records is fully addressed.

No files require special attention.

Important Files Changed

Filename	Overview
bgpd/bgp_dump.c	Adds two coordinated guards to bgp_dump_route_node_record: advance path past an oversized entry (fixing the infinite loop) and skip writing a zero-entry MRT record (addressing a previous review concern). Logic is correct and obuf state is safe because stream_reset is called at function entry.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[bgp_dump_route_node_record called with path, seq] --> B[stream_reset obuf, build MRT header + prefix]
    B --> C{for loop: path != NULL}
    C -- yes --> D[Write peer_index, originated, addpath_id, attributes to obuf]
    D --> E{cur_endp > max packet size?}
    E -- no --> F[entry_count++, endp = cur_endp, path = path.next]
    F --> C
    E -- yes --> G[stream_set_endp obuf endp - revert oversized write]
    G --> H{entry_count == 0? single path too large}
    H -- yes --> I[flog_warn: skipping oversized path, path = path.next]
    I --> J[break]
    H -- no --> J
    C -- path == NULL --> K[exit loop normally]
    J --> L{entry_count == 0?}
    K --> L
    L -- yes --> M[return path - no fwrite, skip zero-entry record]
    L -- no --> N[stream_putw_at sizep entry_count, bgp_dump_set_size, fwrite to MRT file]
    N --> O[return path - next batch starts here]

Loading

_{Reviews (2): Last reviewed commit: "bgpd: Fix infinite loop in MRT route dum..." | Re-trigger Greptile}