Zebra daemon cored when interface name has special character

Issue :-

While creating scale interface configurations , by mistake interface value printed as below "('vtysh -c "configure" -c "interface ens224.%s" %i -c "ip pim"', shell=True)) " which is causing zebra core

Core dump :-

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007f812b52b70d in poll () at ../sysdeps/unix/syscall-template.S:84
84      ../sysdeps/unix/syscall-template.S: No such file or directory.
(gdb) c
Continuing.

Thread 1 "zebra" received signal SIGSEGV, Segmentation fault.
0x00007f812b47ecc0 in _IO_vfprintf_internal (s=s@entry=0x7ffc7a07ff90, format=<optimized out>, format@entry=0x7ffc7a080670 "/frr-interface:lib/interface[name='ens224.%s'][vrf='default']",
    ap=ap@entry=0x7ffc7a080138) at vfprintf.c:1632
1632    vfprintf.c: No such file or directory.
(gdb) bt
#0  0x00007f812b47ecc0 in _IO_vfprintf_internal (s=s@entry=0x7ffc7a07ff90, format=<optimized out>,
    format@entry=0x7ffc7a080670 "/frr-interface:lib/interface[name='ens224.%s'][vrf='default']", ap=ap@entry=0x7ffc7a080138) at vfprintf.c:1632
#1  0x00007f812b546856 in ___vsnprintf_chk (s=s@entry=0x7ffc7a080150 "/frr-interface:lib/interface[name='ens224.", maxlen=<optimized out>, maxlen@entry=512, flags=flags@entry=1,
    slen=slen@entry=512, format=format@entry=0x7ffc7a080670 "/frr-interface:lib/interface[name='ens224.%s'][vrf='default']", args=args@entry=0x7ffc7a080138) at vsnprintf_chk.c:63
#2  0x00007f812be8d602 in vsnprintf (__ap=0x7ffc7a080138, __fmt=0x7ffc7a080670 "/frr-interface:lib/interface[name='ens224.%s'][vrf='default']", __n=512,
    __s=0x7ffc7a080150 "/frr-interface:lib/interface[name='ens224.") at /usr/include/x86_64-linux-gnu/bits/stdio2.h:77
#3  nb_cli_apply_changes (vty=vty@entry=0x1b66420, xpath_base_fmt=xpath_base_fmt@entry=0x7ffc7a080670 "/frr-interface:lib/interface[name='ens224.%s'][vrf='default']")
    at lib/northbound_cli.c:100
#4  0x00007f812be7588f in interface_magic (vty=0x1b66420, ifname=0x1b69190 "ens224.%s", vrf_name=0x7f812c1420c0 <vrf_default_name> "default", argv=<optimized out>, argc=<optimized out>,
    self=<optimized out>) at lib/if.c:1361
#5  0x00007f812be5e8bd in cmd_execute_command_real (vline=vline@entry=0x19ce980, vty=vty@entry=0x1b66420, cmd=cmd@entry=0x0, filter=FILTER_RELAXED) at lib/command.c:907
#6  0x00007f812be6085a in cmd_execute_command (vline=vline@entry=0x19ce980, vty=vty@entry=0x1b66420, cmd=0x0, vtysh=vtysh@entry=0) at lib/command.c:966
#7  0x00007f812be609d7 in cmd_execute (vty=vty@entry=0x1b66420, cmd=cmd@entry=0x1b61260 "interface ens224.%s", matched=matched@entry=0x0, vtysh=vtysh@entry=0) at lib/command.c:1120
#8  0x00007f812bebad82 in vty_command (vty=vty@entry=0x1b66420, buf=0x1b61260 "interface ens224.%s") at lib/vty.c:526
#9  0x00007f812bebb016 in vty_execute (vty=vty@entry=0x1b66420) at lib/vty.c:1293
#10 0x00007f812bebd90c in vtysh_read (thread=<optimized out>) at lib/vty.c:2126
#11 0x00007f812beb5450 in thread_call (thread=thread@entry=0x7ffc7a082fa0) at lib/thread.c:1549
#12 0x00007f812be7d630 in frr_run (master=0x18304e0) at lib/libfrr.c:1094
#13 0x0000000000419114 in main (argc=8, argv=0x7ffc7a083388) at zebra/main.c:490

(gdb) bt full  >>>>>>>>>>>>>>>>>>>>>
#0  0x00007f812b47ecc0 in _IO_vfprintf_internal (s=s@entry=0x7ffc7a07ff90, format=<optimized out>,
    format@entry=0x7ffc7a080670 "/frr-interface:lib/interface[name='ens224.%s'][vrf='default']", ap=ap@entry=0x7ffc7a080138) at vfprintf.c:1632
        len = <optimized out>
        string_malloced = 0
        step0_jumps = {0, -4693, -4638, 73, 167, -4969, 1011, 437, -998, -752, 776, -7971, -7884, -7787, -7688, -7641, -4462, -4863, -1720, -2409, -1551, -30, -4147, -4051, -1688, -8907,
          -2093, -7690, -7787, 350}
        space = <optimized out>
        is_short = <optimized out>
        use_outdigits = <optimized out>
        step1_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, -752, 776, -7971, -7884, -7787, -7688, -7641, -4462, -4863, -1720, -2409, -1551, -30, -4147, -4051, -1688, -8907, -2093, -7690, -7787, 0}
        group = <optimized out>
        prec = -1
        step2_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 776, -7971, -7884, -7787, -7688, -7641, -4462, -4863, -1720, -2409, -1551, -30, -4147, -4051, -1688, -8907, -2093, -7690, -7787, 0}
        string = 0x2 <error: Cannot access memory at address 0x2>
        left = <optimized out>
        is_long_double = <optimized out>
        width = <optimized out>
        step3a_jumps = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 863, 0, 0, 0, -7688, -7641, -4462, -4863, -1720, 0, 0, 0, 0, -4051, 0, 0, 0, 0, 0, 0}
        alt = <optimized out>
        showsign = <optimized out>
        is_long = 0
        is_char = <optimized out>
        pad = <optimized out>
        step3b_jumps = {0 <repeats 11 times>, -7884, 0, 0, -7688, -7641, -4462, -4863, -1720, -2409, -1551, -30, -4147, -4051, -1688, -8907, -2093, 0, 0, 0}
        step4_jumps = {0 <repeats 14 times>, -7688, -7641, -4462, -4863, -1720, -2409, -1551, -30, -4147, -4051, -1688, -8907, -2093, 0, 0, 0}
        is_negative = <optimized out>
        number = <optimized out>
        base = <optimized out>
        the_arg = {pa_wchar = 736312656 L'\x2be33d50', pa_int = 736312656, pa_long_int = 140192763821392, pa_long_long_int = 140192763821392, pa_u_int = 736312656,
          pa_u_long_int = 140192763821392, pa_u_long_long_int = 140192763821392, pa_double = 6.9264428399685381e-310, pa_long_double = <invalid float value>,
          pa_string = 0x7f812be33d50 "\211\022", pa_wstring = 0x7f812be33d50 L"\x1289\xc0012\x54070", pa_pointer = 0x7f812be33d50, pa_user = 0x7f812be33d50}
        spec = <optimized out>
        _buffer = {__routine = 0x7ffc7a07fbb0, __arg = 0x7f812c140960 <MTYPE_LINK_NODE>, __canceltype = 2047343520, __prev = 0x1ad1640}
        _avail = <optimized out>
        thousands_sep = 0x0
        grouping = 0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>
        done = <optimized out>
        f = 0x7ffc7a08069b "s'][vrf='default']"
        lead_str_end = 0x7ffc7a08069a "%s'][vrf='default']"
        end_of_spec = <optimized out>
        work_buffer = "Q\004\370\205\003\200\377\377\257\373\az\374\177\000\000\000\000\000\000\000\000\000\000\002\000\000\000\060", '\000' <repeats 19 times>, "[\000\000\000n", '\000' <repeats 19 times>, "w\000\000\000|\000\000\000 \374\az\374\177\000\000\030\000\000\000\000\000\000\000\002\000\000\000\374\177\000\000\016\000\000\000\000\000\000\000\341\003\370\205\003\200\377\377 K\177+\201\177\000\000\030\000\000\000\000\000\000\000PC\003\000\000\000\000\000\260\214\271\001", '\000' <repeats 20 times>, "\312MK+\201\177\000\000\000\000\000\000\000\000\000\000`\t\024,\201\177\000\000p\374\az\374\177\000\000"...
---Type <return> to continue, or q <return> to quit---
        workstart = <optimized out>
        workend = <optimized out>
        ap_save = <error reading variable ap_save (Attempt to dereference a generic pointer.)>
        nspecs_done = 0
        save_errno = 11
        readonly_format = 0
        __PRETTY_FUNCTION__ = "_IO_vfprintf_internal"
#1  0x00007f812b546856 in ___vsnprintf_chk (s=s@entry=0x7ffc7a080150 "/frr-interface:lib/interface[name='ens224.", maxlen=<optimized out>, maxlen@entry=512, flags=flags@entry=1,
    slen=slen@entry=512, format=format@entry=0x7ffc7a080670 "/frr-interface:lib/interface[name='ens224.%s'][vrf='default']", args=args@entry=0x7ffc7a080138) at vsnprintf_chk.c:63
        sf = {f = {_sbf = {_f = {_flags = -72515583, _IO_read_ptr = 0x7ffc7a080150 "/frr-interface:lib/interface[name='ens224.",
                _IO_read_end = 0x7ffc7a080150 "/frr-interface:lib/interface[name='ens224.", _IO_read_base = 0x7ffc7a080150 "/frr-interface:lib/interface[name='ens224.",
                _IO_write_base = 0x7ffc7a080150 "/frr-interface:lib/interface[name='ens224.", _IO_write_ptr = 0x7ffc7a08017a "", _IO_write_end = 0x7ffc7a08034f "",
                _IO_buf_base = 0x7ffc7a080150 "/frr-interface:lib/interface[name='ens224.", _IO_buf_end = 0x7ffc7a08034f "", _IO_save_base = 0x0, _IO_backup_base = 0x0,
                _IO_save_end = 0x0, _markers = 0x0, _chain = 0x0, _fileno = -16777216, _flags2 = 4, _old_offset = -1, _cur_column = 0, _vtable_offset = 0 '\000', _shortbuf = "",
                _lock = 0x0, _offset = 0, _codecvt = 0x0, _wide_data = 0xffffffffffffffff, _freeres_list = 0x0, _freeres_buf = 0x0, __pad5 = 0, _mode = -1,
                _unused2 = '\000' <repeats 12 times>, "\340\000\bz\000\000\000"}, vtable = 0x7f812b7f34a0 <_IO_strn_jumps>}, _s = {_allocate_buffer = 0x0, _free_buffer = 0x1994050}},
          overflow_buf = "pA\231\001\000\000\000\000\320\300\205\001", '\000' <repeats 12 times>, "\204AK+\201\177\000\000p\006\bz\374\177\000\000\000\002\000\000\000\000\000\000\001\000\000\000\000\000\000\000\000\002\000\000\000\000\000"}
        ret = <optimized out>
#2  0x00007f812be8d602 in vsnprintf (__ap=0x7ffc7a080138, __fmt=0x7ffc7a080670 "/frr-interface:lib/interface[name='ens224.%s'][vrf='default']", __n=512,
    __s=0x7ffc7a080150 "/frr-interface:lib/interface[name='ens224.") at /usr/include/x86_64-linux-gnu/bits/stdio2.h:77
No locals.
#3  nb_cli_apply_changes (vty=vty@entry=0x1b66420, xpath_base_fmt=xpath_base_fmt@entry=0x7ffc7a080670 "/frr-interface:lib/interface[name='ens224.%s'][vrf='default']")
    at lib/northbound_cli.c:100
        ap = <error reading variable ap (Attempt to dereference a generic pointer.)>
        xpath_base = "/frr-interface:lib/interface[name='ens224.", '\000' <repeats 469 times>
        error = false
        ret = <optimized out>
        __func__ = "nb_cli_apply_changes"
#4  0x00007f812be7588f in interface_magic (vty=0x1b66420, ifname=0x1b69190 "ens224.%s", vrf_name=0x7f812c1420c0 <vrf_default_name> "default", argv=<optimized out>, argc=<optimized out>,
    self=<optimized out>) at lib/if.c:1361
        xpath_list = "/frr-interface:lib/interface[name='ens224.%s'][vrf='default']\000\000\000\020\274\266\001\000\000\000\000\006\000\000\000\000\000\000\000\260\b\bz\374\177\000\000\306\332\025,\201\177\000\000\005", '\000' <repeats 23 times>, "`E\343+\201\177\000\000\200\b\bz\374\177\000\000#Y\026,\201\177", '\000' <repeats 50 times>, "\002\000\000\000\000\000\000\000"...
        vrf_id = 0
        ifp = <optimized out>
        ret = <optimized out>
#5  0x00007f812be5e8bd in cmd_execute_command_real (vline=vline@entry=0x19ce980, vty=vty@entry=0x1b66420, cmd=cmd@entry=0x0, filter=FILTER_RELAXED) at lib/command.c:907
        argv_list = 0x1b69090
        status = <optimized out>
        matched_element = 0x7f812c1371e0 <interface_cmd>
        argv = 0x19cea00
        ln = <optimized out>
        token = <optimized out>
---Type <return> to continue, or q <return> to quit---
        i = 0
        argc = 2
        ret = <optimized out>
#6  0x00007f812be6085a in cmd_execute_command (vline=vline@entry=0x19ce980, vty=vty@entry=0x1b66420, cmd=0x0, vtysh=vtysh@entry=0) at lib/command.c:966
        ret = <optimized out>
        saved_ret = 0
        onode = CONFIG_NODE
        try_node = CONFIG_NODE
        orig_xpath_index = 0
#7  0x00007f812be609d7 in cmd_execute (vty=vty@entry=0x1b66420, cmd=cmd@entry=0x1b61260 "interface ens224.%s", matched=matched@entry=0x0, vtysh=vtysh@entry=0) at lib/command.c:1120
        ret = <optimized out>
        cmd_out = <optimized out>
        cmd_exec = 0x1b61260 "interface ens224.%s"
        vline = 0x19ce980
#8  0x00007f812bebad82 in vty_command (vty=vty@entry=0x1b66420, buf=0x1b61260 "interface ens224.%s") at lib/vty.c:526
        before = {cpu = {ru_utime = {tv_sec = 0, tv_usec = 5826}, ru_stime = {tv_sec = 0, tv_usec = 0}, {ru_maxrss = 7808, __ru_maxrss_word = 7808}, {ru_ixrss = 0, __ru_ixrss_word = 0}, {
              ru_idrss = 0, __ru_idrss_word = 0}, {ru_isrss = 0, __ru_isrss_word = 0}, {ru_minflt = 341, __ru_minflt_word = 341}, {ru_majflt = 0, __ru_majflt_word = 0}, {ru_nswap = 0,
              __ru_nswap_word = 0}, {ru_inblock = 0, __ru_inblock_word = 0}, {ru_oublock = 0, __ru_oublock_word = 0}, {ru_msgsnd = 0, __ru_msgsnd_word = 0}, {ru_msgrcv = 0,
              __ru_msgrcv_word = 0}, {ru_nsignals = 0, __ru_nsignals_word = 0}, {ru_nvcsw = 51, __ru_nvcsw_word = 51}, {ru_nivcsw = 1, __ru_nivcsw_word = 1}}, real = {tv_sec = 600033,
            tv_usec = 521419}}
        after = {cpu = {ru_utime = {tv_sec = 0, tv_usec = 5749}, ru_stime = {tv_sec = 0, tv_usec = 0}, {ru_maxrss = 7808, __ru_maxrss_word = 7808}, {ru_ixrss = 0, __ru_ixrss_word = 0}, {
              ru_idrss = 0, __ru_idrss_word = 0}, {ru_isrss = 0, __ru_isrss_word = 0}, {ru_minflt = 341, __ru_minflt_word = 341}, {ru_majflt = 0, __ru_majflt_word = 0}, {ru_nswap = 0,
              __ru_nswap_word = 0}, {ru_inblock = 0, __ru_inblock_word = 0}, {ru_oublock = 0, __ru_oublock_word = 0}, {ru_msgsnd = 0, __ru_msgsnd_word = 0}, {ru_msgrcv = 0,
              __ru_msgrcv_word = 0}, {ru_nsignals = 0, __ru_nsignals_word = 0}, {ru_nvcsw = 50, __ru_nvcsw_word = 50}, {ru_nivcsw = 1, __ru_nivcsw_word = 1}}, real = {tv_sec = 600033,
            tv_usec = 520880}}
        realtime = <optimized out>
        cputime = 0
        ret = <optimized out>
        cp = <optimized out>
        __PRETTY_FUNCTION__ = "vty_command"
#9  0x00007f812bebb016 in vty_execute (vty=vty@entry=0x1b66420) at lib/vty.c:1293
        ret = 0
#10 0x00007f812bebd90c in vtysh_read (thread=<optimized out>) at lib/vty.c:2126
        ret = <optimized out>
        sock = 59
        nbytes = <optimized out>
        vty = 0x1b66420
        buf = "interface ens224.%s\000\000\000\000\000\030\000\000\000\000\000\000\000@,\bz\374\177\000\000\001\000\000\000\000\000\000\000@\330\353+\201\177\000\000\000\020\000\000\000\000\000\000`,\bz\374\177\000\000?,\bz\374\177\000\000\000\000\000\000\000\000\000\000\002\000\000\000\060\000\000\000\241\323\367\205\003\200\377\377_,\bz\374\177\000\000*#\357+\201\177\000\000\000\035\265\363w\214O8\b\000\000\000\000\000\000\000\b#\357+\201\177\000\000\340\004\203\001\000\000\000\000P\206\266\001\000\000\000\000;", '\000' <repeats 16 times>, "-\bz\374\177\000\000ɤ\200+\201\177\000\000\000\000\000\000\000\000\000\000\020"...
        p = 0x7ffc7a082bc3 ""
        header = "\000\000\000"
        __func__ = "vtysh_read"
---Type <return> to continue, or q <return> to quit---
#11 0x00007f812beb5450 in thread_call (thread=thread@entry=0x7ffc7a082fa0) at lib/thread.c:1549
        realtime = 48
        cputime = 0
        exp = 25388984
        helper = 1
        before = {cpu = {ru_utime = {tv_sec = 0, tv_usec = 5826}, ru_stime = {tv_sec = 0, tv_usec = 0}, {ru_maxrss = 7808, __ru_maxrss_word = 7808}, {ru_ixrss = 0, __ru_ixrss_word = 0}, {
              ru_idrss = 0, __ru_idrss_word = 0}, {ru_isrss = 0, __ru_isrss_word = 0}, {ru_minflt = 341, __ru_minflt_word = 341}, {ru_majflt = 0, __ru_majflt_word = 0}, {ru_nswap = 0,
              __ru_nswap_word = 0}, {ru_inblock = 0, __ru_inblock_word = 0}, {ru_oublock = 0, __ru_oublock_word = 0}, {ru_msgsnd = 0, __ru_msgsnd_word = 0}, {ru_msgrcv = 0,
              __ru_msgrcv_word = 0}, {ru_nsignals = 0, __ru_nsignals_word = 0}, {ru_nvcsw = 51, __ru_nvcsw_word = 51}, {ru_nivcsw = 1, __ru_nivcsw_word = 1}}, real = {tv_sec = 600033,
            tv_usec = 521409}}
        after = {cpu = {ru_utime = {tv_sec = 140722355842816, tv_usec = 25363720}, ru_stime = {tv_sec = 1, tv_usec = 25363944}, {ru_maxrss = 0, __ru_maxrss_word = 0}, {ru_ixrss = 0,
              __ru_ixrss_word = 0}, {ru_idrss = 0, __ru_idrss_word = 0}, {ru_isrss = 0, __ru_isrss_word = 0}, {ru_minflt = 600033, __ru_minflt_word = 600033}, {ru_majflt = 521408440,
              __ru_majflt_word = 521408440}, {ru_nswap = 1, __ru_nswap_word = 1}, {ru_inblock = 0, __ru_inblock_word = 0}, {ru_oublock = 0, __ru_oublock_word = 0}, {ru_msgsnd = 0,
              __ru_msgsnd_word = 0}, {ru_msgrcv = 0, __ru_msgrcv_word = 0}, {ru_nsignals = 0, __ru_nsignals_word = 0}, {ru_nvcsw = 50, __ru_nvcsw_word = 50}, {ru_nivcsw = 1,
              __ru_nivcsw_word = 1}}, real = {tv_sec = 600033, tv_usec = 4057616236101836032}}
#12 0x00007f812be7d630 in frr_run (master=0x18304e0) at lib/libfrr.c:1094
        instanceinfo = '\000' <repeats 63 times>
        __func__ = "frr_run"
        thread = {type = 4 '\004', add_type = 0 '\000', threaditem = {si = {next = 0x0}}, timeritem = {hi = {index = 0}}, ref = 0x1b68650, master = 0x18304e0,
          func = 0x7f812bebd840 <vtysh_read>, arg = 0x1b66420, u = {val = 59, fd = 59, sands = {tv_sec = 59, tv_usec = 0}}, real = {tv_sec = 600033, tv_usec = 521409}, hist = 0x1992240,
          yield = 10000, funcname = 0x7f812bef232a "vtysh_read", schedfrom = 0x7f812bef2308 "lib/vty.c", schedfrom_line = 2675, mtx = {__data = {__lock = 0, __count = 0, __owner = 0,
              __nusers = 0, __kind = 0, __spins = 0, __elision = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}}
#13 0x0000000000419114 in main (argc=8, argv=0x7ffc7a083388) at zebra/main.c:490
        zserv_path = 0x0
        vrf_default_name_configured = 0x0
        dummy = {ss_family = 0,
          __ss_padding = '\000' <repeats 14 times>, "\060vm\000\000\000\000\000 \000\000\000\000\000\000\000\320\063\bz\374\177\000\000\210\063\bz\374\177\000\000 \203m\000\000\000\000\000\260*H\000\000\000\000\000\260\352\025,\201\177", '\000' <repeats 26 times>, "'\000\000\000\000\000\000\000hQ7,\201\177\000\000)\000\000\000\000\000\000", __ss_align = 4729485}
        dummylen = 0

[x] Did you check if this is a duplicate issue? [x] Did you test it on the latest FRRouting/frr master branch?

To Reproduce Steps to reproduce the behavior:

root@frr-jenkins:~# vtysh -c "configure" -c "interface ens224.%s"
vtysh: error reading from zebra: No such file or directory (2)Warning: closing connection to zebra because of an I/O error!
vtysh: error reading from pimd: No such file or directory (2)Warning: closing connection to pimd because of an I/O error!

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Versions

OS Kernel: [Ubuntu 16.04]
FRR Version [Master] version 7.5-dev-20200526-09-geeec40ba6

root@R4:~# dpkg -l | grep liby
ii  libyajl2:amd64                        2.1.0-2                     amd64        Yet Another JSON Library
ii  libyaml-0-2:amd64                     0.1.6-3                     amd64        Fast YAML 1.1 parser and emitter library
ii  libyaml-libyaml-perl                  0.41-6build1                amd64        Perl interface to libyaml, a YAML implementation
ii  libyang-dev                           0.16.105-1                  amd64        parser toolkit for IETF YANG data modeling - development files
ii  libyang0.16                           0.16.105-1                  amd64        parser toolkit for IETF YANG data modeling – runtime

FRRouting / frr

Zebra daemon cored when interface name has special character #6468

Zebra daemon cored when interface name has special character