Add 32 new patches from FRR stable/10.4 branch

Add 32 new patches related to zebra, lib and bgpd...
They are:
0065-bgpd-fix-DEREF_OF_NULL.EX.COND-in-community_list_dup.patch
0066-zebra-fix-up-memory-leak-in-dplane-shutdown-sequences.patch
0067-bgpd-fix-overflow-when-decoding-zapi-nexthop-for-srv.patch
0068-bgpd-fix-memory-leak-in-evpn-mh.patch
0069-bgpd-Fix-default-vrf-check-while-configuring-md5-password-for-prefix-on-the-bgp-listen-socket.patch
0070-Gr-test-fixup.patch
0071-staticd-Fix-typo-in-SRv6-SIDs-debug-logs-for-interfa.patch
0072-zebra-Reset-encapsulation-source-address-when-no-srv6-is-executed.patch
0073-zebra-Explicitly-print-exit-at-the-end-of-srv6-encap.patch
0074-bgpd-Fix-crash-due-to-dangling-pointer-in-bnc-nht_in.patch
0075-zebra-Add-missing-debug-guard-in-rt-netlink-code.patch
0076-zebra-Add-missing-debug-guard-in-if-netlink-code.patch
0077-lib-remove-zlog-tmp-dirs-by-default-at-exit.patch
0078-staticd-Fix-SRv6-SID-installation-for-default-VRF.patch
0079-bgpd-don-t-use-stale-evpn-pointer-in-bgp_update.patch
0080-lib-Return-a-valid-JSON-if-prefix-list-is-not-found.patch
0081-Allow-notify-callback-on-non-presence-container.patch
0082-bgpd-fix-refcounts-at-termination.patch
0083-bgpd-add-NULL-check-in-evpn-mh-code.patch
0084-Revert-bgpd-Enable-Link-Local-Next-Hop-capability-for-unnumbered-peers-implicitly.patch
0086-doc-Fix-documentation-regarding-capability-link-loca.patch
0087-zebra-fix-neighbor-table-name-length.patch
0088-bgpd-Do-not-override-a-specified-rd.patch
0089-bgpd-EVPN-fix-auto-derive-rd-when-user-cfg-removed.patch
0090-zebra-EVPN-fix-alignment-of-access-vlan-cli-output.patch
0091-bgpd-EVPN-MH-fix-ES-EVI-memleak-during-shutdown.patch
0092-bgpd-Do-not-complain-in-the-logs-if-we-intentionally.patch
0093-bgpd-Put-local-BGP-ID-when-sending-NNHN-TLV-for-NH-c.patch
0094-zebra-fix-yang-data-for-mcast-group.patch
0095-bgpd-Crash-due-to-usage-of-freed-up-evpn_overlay-att.patch
0096-bgpd-Notify-all-incoming-outgoing-on-peer-group-noti.patch

Signed-off-by: Yuqing Zhao <[email protected]>

Author: GaladrielZhao

src/sonic-frr/patch/0065-bgpd-fix-DEREF_OF_NULL.EX.COND-in-community_list_dup.patch

@@ -0,0 +1,32 @@
+From c9cc9dce4990da85c6451a2f3e539e3a5fa2f8be Mon Sep 17 00:00:00 2001
+From: Petr Vaganov <[email protected]>
+Date: Mon, 4 Aug 2025 12:07:31 +0500
+Subject: bgpd: fix DEREF_OF_NULL.EX.COND in community_list_dup_check
+
+Found by the static analyzer Svace (ISP RAS).
+
+After having been assigned to a NULL value at bgp_clist.c:1241, pointer
+'entry->config' is passed in call to function 'community_list_dup_check'
+at bgp_clist.c:1244, where it is dereferenced at bgp_clist.c:899.
+
+Signed-off-by: Petr Vaganov <[email protected]>
+---
+ bgpd/bgp_clist.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/bgpd/bgp_clist.c b/bgpd/bgp_clist.c
+index 5019181921..429f5f2a5a 100644
+--- a/bgpd/bgp_clist.c
++++ b/bgpd/bgp_clist.c
+@@ -896,7 +896,7 @@ static bool community_list_dup_check(struct community_list *list,
+ 		case COMMUNITY_LIST_EXPANDED:
+ 		case EXTCOMMUNITY_LIST_EXPANDED:
+ 		case LARGE_COMMUNITY_LIST_EXPANDED:
+-			if (strcmp(entry->config, new->config) == 0)
++			if (new->config && (strcmp(entry->config, new->config) == 0))
+ 				return true;
+ 			break;
+ 		default:
+-- 
+2.48.1
+

src/sonic-frr/patch/0066-zebra-fix-up-memory-leak-in-dplane-shutdown-sequences.patch

@@ -0,0 +1,230 @@
+From b90c68ec0551fdecde71039c2665811a93e223cb Mon Sep 17 00:00:00 2001
+From: Chirag Shah <[email protected]>
+Date: Mon, 4 Aug 2025 11:05:22 -0700
+Subject: zebra: fix memory leak dplane pthread mutex destroy
+
+valgrind report snippet:
+==214726== 240 bytes in 1 blocks are possibly lost in loss record 18,308 of 19,216
+==214726==    at 0x48465EF: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+==214726==    by 0x492A42F: qcalloc (in /usr/lib/x86_64-linux-gnu/frr/libfrr.so.0.0.0)
+==214726==    by 0x1FED89: dplane_provider_register (in /usr/lib/frr/zebra)
+==214726==    by 0x2003AA: zebra_dplane_init (in /usr/lib/frr/zebra)
+==214726==    by 0x1C0279: main (in /usr/lib/frr/zebra)
+
+Ticket: #4559520
+
+Cursor
+Signed-off-by: Chirag Shah <[email protected]>
+---
+ zebra/zebra_dplane.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/zebra/zebra_dplane.c b/zebra/zebra_dplane.c
+index 827d55d686..409e3e4943 100644
+--- a/zebra/zebra_dplane.c
++++ b/zebra/zebra_dplane.c
+@@ -7695,6 +7695,7 @@ void zebra_dplane_shutdown(void)
+ 	dp = dplane_prov_list_first(&zdplane_info.dg_providers);
+ 	while (dp) {
+ 		dplane_prov_list_del(&zdplane_info.dg_providers, dp);
++		pthread_mutex_destroy(&dp->dp_mutex);
+ 		XFREE(MTYPE_DP_PROV, dp);
+ 
+ 		dp = dplane_prov_list_first(&zdplane_info.dg_providers);
+@@ -7711,6 +7712,9 @@ void zebra_dplane_shutdown(void)
+ 		}
+ 	}
+ 	DPLANE_UNLOCK();
++
++	/* Destroy global mutex */
++	pthread_mutex_destroy(&zdplane_info.dg_mutex);
+ }
+ 
+ /*
+-- 
+2.48.1
+
+
+From 14f1a5519c60128d816abfc7236366a81c923dfd Mon Sep 17 00:00:00 2001
+From: Chirag Shah <[email protected]>
+Date: Mon, 4 Aug 2025 14:05:22 -0700
+Subject: zebra: fix memory leak in netlink link chg err case
+
+valgrind report snippet:
+==214726== 45,600 bytes in 30 blocks are possibly lost in loss record
+19,202 of 19,216
+==214726==    at 0x48465EF: calloc (in
+/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+==214726==    by 0x492A42F: qcalloc (in
+/usr/lib/x86_64-linux-gnu/frr/libfrr.so.0.0.0)
+==214726==    by 0x1C7EEB: netlink_link_change (in /usr/lib/frr/zebra)
+==214726==    by 0x1D586E: netlink_parse_info (in /usr/lib/frr/zebra)
+==214726==    by 0x1C9930: interface_lookup_netlink (in
+/usr/lib/frr/zebra)
+==214726==    by 0x1C9E80: interface_list (in /usr/lib/frr/zebra)
+==214726==    by 0x23883D: zebra_ns_init (in /usr/lib/frr/zebra)
+==214726==    by 0x1C0294: main (in /usr/lib/frr/zebra)
+
+Ticket: #4559520
+
+Cursor
+Signed-off-by: Chirag Shah <[email protected]>
+---
+ zebra/if_netlink.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/zebra/if_netlink.c b/zebra/if_netlink.c
+index 1cfcc84bd9..7d31684c56 100644
+--- a/zebra/if_netlink.c
++++ b/zebra/if_netlink.c
+@@ -638,6 +638,9 @@ netlink_bridge_vxlan_vlan_vni_map_update(struct zebra_dplane_ctx *ctx,
+ 	if (count) {
+ 		vniarray->count = count;
+ 		dplane_ctx_set_ifp_vxlan_vni_array(ctx, vniarray);
++	} else if (vniarray) {
++		/* Free allocated memory if count is 0 */
++		XFREE(MTYPE_TMP, vniarray);
+ 	}
+ 	return 0;
+ }
+@@ -705,6 +708,9 @@ static void netlink_bridge_vlan_update(struct zebra_dplane_ctx *ctx,
+ 	if (count) {
+ 		bvarray->count = count;
+ 		dplane_ctx_set_ifp_bridge_vlan_info_array(ctx, bvarray);
++	} else if (bvarray) {
++		/* Free allocated memory if count is 0 */
++		XFREE(MTYPE_TMP, bvarray);
+ 	}
+ }
+ 
+@@ -1749,8 +1755,13 @@ int netlink_vlan_change(struct nlmsghdr *h, ns_id_t ns_id, int startup)
+ 				   bvm->ifindex, ns_id);
+ 
+ 		dplane_provider_enqueue_to_zebra(ctx);
+-	} else
++	} else {
++		if (vlan_array) {
++			/* Free allocated memory if count is 0 */
++			XFREE(MTYPE_VLAN_CHANGE_ARR, vlan_array);
++		}
+ 		dplane_ctx_fini(&ctx);
++	}
+ 
+ 
+ 	return 0;
+-- 
+2.48.1
+
+
+From d34057d035a5e6410deaef9daa46ce0ed943c520 Mon Sep 17 00:00:00 2001
+From: Chirag Shah <[email protected]>
+Date: Mon, 4 Aug 2025 14:09:40 -0700
+Subject: zebra: fix memory leak in dplane zns info entries
+
+valgrind report snippet:
+==214726== 48 bytes in 1 blocks are possibly lost in loss record 13,919
+of 19,216
+==214726==    at 0x48465EF: calloc (in
+/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+==214726==    by 0x492A42F: qcalloc (in
+/usr/lib/x86_64-linux-gnu/frr/libfrr.so.0.0.0)
+==214726==    by 0x1FFA30: zebra_dplane_ns_enable (in
+/usr/lib/frr/zebra)
+==214726==    by 0x238835: zebra_ns_init (in /usr/lib/frr/zebra)
+==214726==    by 0x1C0294: main (in /usr/lib/frr/zebra)
+
+Ticket: #4559520
+
+Cursor
+Signed-off-by: Chirag Shah <[email protected]>
+---
+ zebra/zebra_dplane.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/zebra/zebra_dplane.c b/zebra/zebra_dplane.c
+index 409e3e4943..9e26cf6803 100644
+--- a/zebra/zebra_dplane.c
++++ b/zebra/zebra_dplane.c
+@@ -7665,6 +7665,7 @@ void zebra_dplane_shutdown(void)
+ {
+ 	struct zebra_dplane_provider *dp;
+ 	struct zebra_dplane_ctx *ctx;
++	struct dplane_zns_info *zi;
+ 
+ 	if (IS_ZEBRA_DEBUG_DPLANE)
+ 		zlog_debug("Zebra dataplane shutdown called");
+@@ -7701,6 +7702,14 @@ void zebra_dplane_shutdown(void)
+ 		dp = dplane_prov_list_first(&zdplane_info.dg_providers);
+ 	}
+ 
++	/* Clean up namespace info entries */
++	zi = zns_info_list_first(&zdplane_info.dg_zns_list);
++	while (zi) {
++		zns_info_list_del(&zdplane_info.dg_zns_list, zi);
++		XFREE(MTYPE_DP_NS, zi);
++		zi = zns_info_list_first(&zdplane_info.dg_zns_list);
++	}
++
+ 	/* TODO -- Clean queue(s), free memory */
+ 	DPLANE_LOCK();
+ 	{
+-- 
+2.48.1
+
+
+From ea672814b716dbd9c6387e0533fa7a5efff8c8d9 Mon Sep 17 00:00:00 2001
+From: Chirag Shah <[email protected]>
+Date: Mon, 4 Aug 2025 15:11:40 -0700
+Subject: zebra: fix memory leak dplane providers queued contex
+
+valgrind report snippet:
+==214726== 1,520 bytes in 1 blocks are possibly lost in loss record
+19,054 of 19,216
+==214726==    at 0x48465EF: calloc (in
+/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+==214726==    by 0x492A42F: qcalloc (in
+/usr/lib/x86_64-linux-gnu/frr/libfrr.so.0.0.0)
+==214726==    by 0x20029D: zebra_dplane_startup_stage (in
+/usr/lib/frr/zebra)
+==214726==    by 0x23883D: zebra_ns_init (in /usr/lib/frr/zebra)
+==214726==    by 0x1C0294: main (in /usr/lib/frr/zebra)
+
+Ticket: #4559520
+
+Cursor
+Signed-off-by: Chirag Shah <[email protected]>
+---
+ zebra/zebra_dplane.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/zebra/zebra_dplane.c b/zebra/zebra_dplane.c
+index 9e26cf6803..18599a02b5 100644
+--- a/zebra/zebra_dplane.c
++++ b/zebra/zebra_dplane.c
+@@ -7722,6 +7722,23 @@ void zebra_dplane_shutdown(void)
+ 	}
+ 	DPLANE_UNLOCK();
+ 
++	/* Clean up any startup stage contexts in provider queues */
++	frr_each (dplane_prov_list, &zdplane_info.dg_providers, dp) {
++		/* Clean in-queue contexts */
++		ctx = dplane_ctx_list_pop(&dp->dp_ctx_in_list);
++		while (ctx) {
++			dplane_ctx_free(&ctx);
++			ctx = dplane_ctx_list_pop(&dp->dp_ctx_in_list);
++		}
++
++		/* Clean out-queue contexts */
++		ctx = dplane_ctx_list_pop(&dp->dp_ctx_out_list);
++		while (ctx) {
++			dplane_ctx_free(&ctx);
++			ctx = dplane_ctx_list_pop(&dp->dp_ctx_out_list);
++		}
++	}
++
+ 	/* Destroy global mutex */
+ 	pthread_mutex_destroy(&zdplane_info.dg_mutex);
+ }
+-- 
+2.48.1
+

src/sonic-frr/patch/0067-bgpd-fix-overflow-when-decoding-zapi-nexthop-for-srv.patch

@@ -0,0 +1,36 @@
+From 21fb7c457208205af55cfa63d86c5f89315febda Mon Sep 17 00:00:00 2001
+From: Petr Vaganov <[email protected]>
+Date: Mon, 4 Aug 2025 11:33:10 +0500
+Subject: bgpd: fix overflow when decoding zapi nexthop for srv6 max segments
+
+Found by the static analyzer Svace (ISP RAS).
+
+Expression is used as an index for accessing an array's element
+in function 'stream_get2' at zclient.c:1577. This expression can
+have value 256, which is out of range, as indicated by a preceding
+conditional expression at zclient.c:1577.
+
+Through memcpy, 256 bytes can be written to a 128 byte array of
+structures, it seems that SRV6_MAX_SIDS should be SRV6_MAX_SEGS instead.
+
+Signed-off-by: Petr Vaganov <[email protected]>
+---
+ lib/zclient.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/zclient.c b/lib/zclient.c
+index 3ab7bc040e..fe5a931c10 100644
+--- a/lib/zclient.c
++++ b/lib/zclient.c
+@@ -1574,7 +1574,7 @@ int zapi_nexthop_decode(struct stream *s, struct zapi_nexthop *api_nh,
+ 
+ 	if (CHECK_FLAG(api_nh->flags, ZAPI_NEXTHOP_FLAG_SEG6)) {
+ 		STREAM_GETC(s, api_nh->seg_num);
+-		if (api_nh->seg_num > SRV6_MAX_SIDS) {
++		if (api_nh->seg_num > SRV6_MAX_SEGS) {
+ 			flog_err(EC_LIB_ZAPI_ENCODE,
+ 				 "%s: invalid number of SRv6 Segs (%u)",
+ 				 __func__, api_nh->seg_num);
+-- 
+2.48.1
+