Crash on invalid PFCP data

The following invalid SessionSetupRequest has caused a crash in the e2e tests (IPv6 mode TDF setup):

Frame 13: 503 bytes on wire (4024 bits), 503 bytes captured (4024 bits)
Ethernet II, Src: 4a:f8:a5:c3:85:ea (4a:f8:a5:c3:85:ea), Dst: fa:8a:78:4d:5b:5b (fa:8a:78:4d:5b:5b)
Internet Protocol Version 6, Src: 2001:db8:10::3, Dst: 2001:db8:10::2
User Datagram Protocol, Src Port: 8805, Dst Port: 8805
Packet Forwarding Control Protocol
    Flags: 0x21, SEID (S)
        001. .... = Version: 1
        ...0 .... = Spare: 0
        .... 0... = Spare: 0
        .... .0.. = Spare: 0
        .... ..0. = Message Priority (MP): False
        .... ...1 = SEID (S): True
    Message Type: PFCP Session Establishment Request (50)
    Length: 437
    SEID: 0x0000000000000000
    Sequence Number: 2
    Spare: 0
    Node ID : FQDN: pfcpstub
        IE Type: Node ID (60)
        IE Length: 10
        0000 .... = Spare: 0
        .... 0010 = Node ID Type: FQDN (2)
        Node ID FQDN: pfcpstub
    F-SEID : SEID: 0x3c04951aa42655d9, IPv4 0.0.0.0
        IE Type: F-SEID (57)
        IE Length: 13
        Flags: 0x02, V4 (IPv4)
            0... .... = Spare: 0
            .0.. .... = Spare: 0
            ..0. .... = Spare: 0
            ...0 .... = Spare: 0
            .... 0... = Spare: 0
            .... .0.. = Spare: 0
            .... ..1. = V4 (IPv4): Present
            .... ...0 = V6 (IPv6): Not Present
        SEID: 0x3c04951aa42655d9
        IPv4 address: 0.0.0.0
    Create PDR : [Grouped IE]
        IE Type: Create PDR (1)
        IE Length: 113
        Packet Detection Rule ID : 1
            IE Type: Packet Detection Rule ID (56)
            IE Length: 2
            Rule ID: 1
        FAR ID : Dynamic by CP 1
            IE Type: FAR ID (108)
            IE Length: 4
            0... .... .... .... .... .... .... .... = Allocation type: Dynamic by CP
            .000 0000 0000 0000 0000 0000 0000 0001 = FAR ID: 1
        Precedence : 200
            IE Type: Precedence (29)
            IE Length: 4
            Precedence: 200
        PDI : [Grouped IE]
            IE Type: PDI (2)
            IE Length: 79
            Network Instance : access
                IE Type: Network Instance (22)
                IE Length: 7
                Network Instance: access
            SDF Filter : 
                IE Type: SDF Filter (23)
                IE Length: 38
                Flags: 0x01, FD (Flow Description)
                    0000 .... = Spare: 0
                    ...0 .... = BID (Bidirectional SDF Filter): False
                    .... 0... = FL (Flow Label): False
                    .... .0.. = SPI (Security Parameter Index): False
                    .... ..0. = TTC (ToS Traffic Class): False
                    .... ...1 = FD (Flow Description): True
                Spare: 0
                Length of Flow Description: 34
                Flow Description: permit out ip from any to assigned
            Source Interface : Access
                IE Type: Source Interface (20)
                IE Length: 1
                0000 .... = Spare: 0
                .... 0000 = Source Interface: Access (0)
            UE IP Address : 
                IE Type: UE IP Address (93)
                IE Length: 17
                Flags: 0x01, V6 (IPv6)
                    0000 .... = Spare: 0
                    .... 0... = IPv6D: Source IP address
                    .... .0.. = S/D: Source IP address
                    .... ..0. = V4 (IPv4): Not Present
                    .... ...1 = V6 (IPv6): Present
                IPv6 address: ::
        URR ID : Dynamic by CP 1
            IE Type: URR ID (81)
            IE Length: 4
            0... .... .... .... .... .... .... .... = Allocation type: Dynamic by CP
            .000 0000 0000 0000 0000 0000 0000 0001 = URR ID: 1
    Create PDR : [Grouped IE]
        IE Type: Create PDR (1)
        IE Length: 110
        Packet Detection Rule ID : 2
            IE Type: Packet Detection Rule ID (56)
            IE Length: 2
            Rule ID: 2
        FAR ID : Dynamic by CP 2
            IE Type: FAR ID (108)
            IE Length: 4
            0... .... .... .... .... .... .... .... = Allocation type: Dynamic by CP
            .000 0000 0000 0000 0000 0000 0000 0010 = FAR ID: 2
        PDI : [Grouped IE]
            IE Type: PDI (2)
            IE Length: 76
            SDF Filter : 
                IE Type: SDF Filter (23)
                IE Length: 38
                Flags: 0x01, FD (Flow Description)
                    0000 .... = Spare: 0
                    ...0 .... = BID (Bidirectional SDF Filter): False
                    .... 0... = FL (Flow Label): False
                    .... .0.. = SPI (Security Parameter Index): False
                    .... ..0. = TTC (ToS Traffic Class): False
                    .... ...1 = FD (Flow Description): True
                Spare: 0
                Length of Flow Description: 34
                Flow Description: permit out ip from any to assigned
            Network Instance : sgi
                IE Type: Network Instance (22)
                IE Length: 4
                Network Instance: sgi
            Source Interface : SGi-LAN/N6-LAN
                IE Type: Source Interface (20)
                IE Length: 1
                0000 .... = Spare: 0
                .... 0010 = Source Interface: SGi-LAN/N6-LAN (2)
            UE IP Address : 
                IE Type: UE IP Address (93)
                IE Length: 17
                Flags: 0x05, S/D, V6 (IPv6)
                    0000 .... = Spare: 0
                    .... 0... = IPv6D: Source IP address
                    .... .1.. = S/D: Destination IP address
                    .... ..0. = V4 (IPv4): Not Present
                    .... ...1 = V6 (IPv6): Present
                IPv6 address: ::
        Precedence : 200
            IE Type: Precedence (29)
            IE Length: 4
            Precedence: 200
        URR ID : Dynamic by CP 1
            IE Type: URR ID (81)
            IE Length: 4
            0... .... .... .... .... .... .... .... = Allocation type: Dynamic by CP
            .000 0000 0000 0000 0000 0000 0000 0001 = URR ID: 1
    Create FAR : [Grouped IE]
        IE Type: Create FAR (3)
        IE Length: 76
        FAR ID : Dynamic by CP 1
            IE Type: FAR ID (108)
            IE Length: 4
            0... .... .... .... .... .... .... .... = Allocation type: Dynamic by CP
            .000 0000 0000 0000 0000 0000 0000 0001 = FAR ID: 1
        Apply Action : 
            IE Type: Apply Action (44)
            IE Length: 1
            Flags: 0x02, FORW (Forward)
                000. .... = Spare: 0
                ...0 .... = DUPL (Duplicate): False
                .... 0... = NOCP (Notify the CP function): False
                .... .0.. = BUFF (Buffer): False
                .... ..1. = FORW (Forward): True
                .... ...0 = DROP (Drop): False
        Forwarding Parameters : [Grouped IE]
            IE Type: Forwarding Parameters (4)
            IE Length: 59
            Destination Interface : SGi-LAN/N6-LAN
                IE Type: Destination Interface (42)
                IE Length: 1
                0000 .... = Spare: 0
                .... 0010 = Interface: SGi-LAN/N6-LAN (2)
            Network Instance : sgi
                IE Type: Network Instance (22)
                IE Length: 4
                Network Instance: sgi
            Redirect Information : 
                IE Type: Redirect Information (38)
                IE Length: 42
                0000 .... = Spare: 0
                .... 0010 = Redirect Address Type: URL (2)
                Redirect Server Address Length: 37
                Redirect Server Address: http://127.0.0.1/this-is-my-redirect/
                IE data not decoded by WS yet
                    [Expert Info (Note/Undecoded): IE data not decoded by WS yet]
                        [IE data not decoded by WS yet]
                        [Severity level: Note]
                        [Group: Undecoded]
    Create FAR : [Grouped IE]
        IE Type: Create FAR (3)
        IE Length: 33
        FAR ID : Dynamic by CP 2
            IE Type: FAR ID (108)
            IE Length: 4
            0... .... .... .... .... .... .... .... = Allocation type: Dynamic by CP
            .000 0000 0000 0000 0000 0000 0000 0010 = FAR ID: 2
        Apply Action : 
            IE Type: Apply Action (44)
            IE Length: 1
            Flags: 0x02, FORW (Forward)
                000. .... = Spare: 0
                ...0 .... = DUPL (Duplicate): False
                .... 0... = NOCP (Notify the CP function): False
                .... .0.. = BUFF (Buffer): False
                .... ..1. = FORW (Forward): True
                .... ...0 = DROP (Drop): False
        Forwarding Parameters : [Grouped IE]
            IE Type: Forwarding Parameters (4)
            IE Length: 16
            Destination Interface : Access
                IE Type: Destination Interface (42)
                IE Length: 1
                0000 .... = Spare: 0
                .... 0000 = Interface: Access (0)
            Network Instance : access
                IE Type: Network Instance (22)
                IE Length: 7
                Network Instance: access
    Create URR : [Grouped IE]
        IE Type: Create URR (6)
        IE Length: 19
        URR ID : Dynamic by CP 1
            IE Type: URR ID (81)
            IE Length: 4
            0... .... .... .... .... .... .... .... = Allocation type: Dynamic by CP
            .000 0000 0000 0000 0000 0000 0000 0001 = URR ID: 1
        Measurement Method : 
            IE Type: Measurement Method (62)
            IE Length: 1
            Flags: 0x03, VOLUM (Volume), DURAT (Duration)
                0000 0... = Spare: 0
                .... .0.. = EVENT (Event): False
                .... ..1. = VOLUM (Volume): True
                .... ...1 = DURAT (Duration): True
        Reporting Triggers : 
            IE Type: Reporting Triggers (37)
            IE Length: 2
            0... .... = LIUSA (Linked Usage Reporting): False
            .0.. .... = DROTH (Dropped DL Traffic Threshold): False
            ..0. .... = STOPT (Stop of Traffic): False
            ...0 .... = START (Start of Traffic): False
            .... 0... = QUHTI (Quota Holding Time): False
            .... .0.. = TIMTH (Time Threshold): False
            .... ..0. = VOLTH (Volume Threshold): False
            .... ...0 = PERIO (Periodic Reporting): False
            000. .... = Spare: 0
            ..0. .... = EVEQU (Event Quota): False
            ...0 .... = EVETH (Event Threshold): False
            .... 0... = MACAR (MAC Addresses Reporting): False
            .... .0.. = ENVCL (Envelope Closure): False
            .... ..0. = TIMQU (Time Quota): False
            .... ...0 = VOLQU (Volume Quota): False
    Create URR : [Grouped IE]
        IE Type: Create URR (6)
        IE Length: 19
        URR ID : Dynamic by CP 2
            IE Type: URR ID (81)
            IE Length: 4
            0... .... .... .... .... .... .... .... = Allocation type: Dynamic by CP
            .000 0000 0000 0000 0000 0000 0000 0010 = URR ID: 2
        Measurement Method : 
            IE Type: Measurement Method (62)
            IE Length: 1
            Flags: 0x03, VOLUM (Volume), DURAT (Duration)
                0000 0... = Spare: 0
                .... .0.. = EVENT (Event): False
                .... ..1. = VOLUM (Volume): True
                .... ...1 = DURAT (Duration): True
        Reporting Triggers : 
            IE Type: Reporting Triggers (37)
            IE Length: 2
            0... .... = LIUSA (Linked Usage Reporting): False
            .0.. .... = DROTH (Dropped DL Traffic Threshold): False
            ..0. .... = STOPT (Stop of Traffic): False
            ...0 .... = START (Start of Traffic): False
            .... 0... = QUHTI (Quota Holding Time): False
            .... .0.. = TIMTH (Time Threshold): False
            .... ..0. = VOLTH (Volume Threshold): False
            .... ...0 = PERIO (Periodic Reporting): False
            000. .... = Spare: 0
            ..0. .... = EVEQU (Event Quota): False
            ...0 .... = EVETH (Event Threshold): False
            .... 0... = MACAR (MAC Addresses Reporting): False
            .... .0.. = ENVCL (Envelope Closure): False
            .... ..0. = TIMQU (Time Quota): False
            .... ...0 = VOLQU (Volume Quota): False

Stack trace:

/src/vpp/src/vnet/fib/fib_table.c:35 (fib_table_get) assertion `! pool_is_free (ip4_main.fibs, _e)' fails

Program received signal SIGABRT, Aborted.
0x00007ffff4719f47 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#0  0x00007ffff4719f47 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff471b8b1 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x0000000000407193 in os_panic () at /src/vpp/src/vpp/vnet/main.c:371
#3  0x00007ffff55fa619 in debugger () at /src/vpp/src/vppinfra/error.c:84
#4  0x00007ffff55fa397 in _clib_error (how_to_die=2, function_name=0x0, line_number=0, fmt=0x7ffff76dc130 "%s:%d (%s) assertion `%s' fails") at /src/vpp/src/vppinfra/error.c:143
#5  0x00007ffff74f7cef in fib_table_get (index=4, proto=FIB_PROTOCOL_IP4) at /src/vpp/src/vnet/fib/fib_table.c:35
#6  0x00007ffff74f88ea in fib_table_entry_special_dpo_add (fib_index=4, prefix=0x7ffff7fc7fe0, source=FIB_SOURCE_FIRST, flags=(FIB_ENTRY_FLAG_EXCLUSIVE | FIB_ENTRY_FLAG_LOOSE_URPF_EXEMPT), dpo=0x7ffff7fc7fd8) at /src/vpp/src/vnet/fib/fib_table.c:333
#7  0x00007fffabdd88cf in pfcp_add_del_ue_ip (ip=0x7fffe6ebeb00, si=0x7fffe6ebdd00, is_add=1) at /src/vpp/src/plugins/upf/upf_pfcp.c:1197
#8  0x00007fffabddc766 in pfcp_update_apply (sx=0x7fffe6ebdd00) at /src/vpp/src/plugins/upf/upf_pfcp.c:1836
#9  0x00007fffabdf4f31 in handle_session_establishment_request (req=0x7fffe6ea63c0, msg=0x7ffff7fc8a20) at /src/vpp/src/plugins/upf/upf_pfcp_api.c:2444

travelping / upg-vpp

Crash on invalid PFCP data #21