zebra: fix heap overflow and guard inconsistency in SRv6 nexthop resolution

Author: dawkopagh

lib/nexthop.c

@@ -716,6 +716,12 @@ void nexthop_add_srv6_seg6(struct nexthop *nexthop, const struct in6_addr *segs,
 			XCALLOC(MTYPE_NH_SRV6,
 				sizeof(struct seg6_seg_stack) +
 					num_segs * sizeof(struct in6_addr));
+	} else if (num_segs > nexthop->nh_srv6->seg6_segs->num_segs) {
+		nexthop->nh_srv6->seg6_segs =
+			XREALLOC(MTYPE_NH_SRV6,
+				 nexthop->nh_srv6->seg6_segs,
+				 sizeof(struct seg6_seg_stack) +
+					 num_segs * sizeof(struct in6_addr));
 	}
 
 	nexthop->nh_srv6->seg6_segs->num_segs = num_segs;

zebra/zebra_nhg.c

@@ -1960,9 +1960,9 @@ static struct nexthop *nexthop_set_resolved(afi_t afi, const struct nexthop *new
 		nexthop_add_labels(resolved_hop, label_type, num_labels,
 				   labels);
 
-	/* Copy SRv6 info from the resolved route's nexthop first, then
-	 * overlay any SRv6 info from the parent nexthop (consistent with
-	 * how MPLS labels are stacked above).
+	/* Copy SRv6 info from the resolved route's nexthop (newhop) if
+	 * present; if the parent nexthop also carries SRv6 info, its
+	 * value takes precedence and replaces the resolver's.
 	 */
 	if (newhop->nh_srv6) {
 		if (newhop->nh_srv6->seg6local_action !=
@@ -1989,7 +1989,9 @@ static struct nexthop *nexthop_set_resolved(afi_t afi, const struct nexthop *new
 							   ->seg6local_action,
 						   &nexthop->nh_srv6
 							    ->seg6local_ctx);
-		if (nexthop->nh_srv6->seg6_segs)
+		if (nexthop->nh_srv6->seg6_segs &&
+		    nexthop->nh_srv6->seg6_segs->num_segs &&
+		    !sid_zero(nexthop->nh_srv6->seg6_segs))
 			nexthop_add_srv6_seg6(resolved_hop, &nexthop->nh_srv6->seg6_segs->seg[0],
 					      nexthop->nh_srv6->seg6_segs->num_segs,
 					      nexthop->nh_srv6->seg6_segs->encap_behavior);