From: Maria Matejka <mq@ucw.cz>
Date: Wed, 21 May 2025 11:53:35 +0000 (+0200)
Subject: ASPA: fix aspa_check_upstream and aspa_check_downstream parse crash
X-Git-Tag: v3.1.2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f0541c06b7b7b019a3a38255a9496a1d13dc3595;p=thirdparty%2Fbird.git

ASPA: fix aspa_check_upstream and aspa_check_downstream parse crash

Due to internal differences between BIRD 2 and 3, there is
FI_CURRENT_ROUTE in BIRD 3 and `val.rte == NULL` is not supported
as a shortcut for fetching the route object.

When merging, we forgot to fix this difference in the BGP config parser,
thus the constant folder failed to recognize that this is not a constant
expression, leading to accidentally dereference the NULL route pointer
in config parse time.

This fixes #247.
---

diff --git a/proto/bgp/config.Y b/proto/bgp/config.Y
index af3529b5a..a228614b7 100644
--- a/proto/bgp/config.Y
+++ b/proto/bgp/config.Y
@@ -536,7 +536,7 @@ CF_CLI(RELOAD BGP OUT, proto_patt, [<name>], [[Refresh routes to neighbor]])
 term: ASPA_CHECK_DOWNSTREAM '(' rtable ')' { $$ =
   f_new_inst(FI_ASPA_CHECK_EXPLICIT,
       f_new_inst(FI_EA_GET,
-	f_new_inst(FI_CONSTANT, (struct f_val) { .type = T_ROUTE, .val.rte = NULL, }),
+	f_new_inst(FI_CURRENT_ROUTE),
 	ea_class_find_by_name("bgp_path")
       ),
       f_new_inst(FI_CONSTANT, (struct f_val) { .type = T_BOOL, .val.i = 0, }),
@@ -547,7 +547,7 @@ term: ASPA_CHECK_DOWNSTREAM '(' rtable ')' { $$ =
 term: ASPA_CHECK_UPSTREAM '(' rtable ')' { $$ =
   f_new_inst(FI_ASPA_CHECK_EXPLICIT,
       f_new_inst(FI_EA_GET,
-	f_new_inst(FI_CONSTANT, (struct f_val) { .type = T_ROUTE, .val.rte = NULL, }),
+	f_new_inst(FI_CURRENT_ROUTE),
 	ea_class_find_by_name("bgp_path")
       ),
       f_new_inst(FI_CONSTANT, (struct f_val) { .type = T_BOOL, .val.i = 1, }),