Skip to content

fix: add nil check in AddressesAsCIDRs to prevent SIGSEGV #11602

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
majiayu000 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: add nil check in AddressesAsCIDRs to prevent SIGSEGV #11602

majiayu000 wants to merge 1 commit into from
+13 −2

Conversation

@majiayu000
Copy link

@majiayu000 majiayu000 commented Dec 30, 2025

Fixes #11384

Summary

  • Add nil check in AddressesAsCIDRs() to prevent null pointer dereference
  • Empty ExternalIP can result in nil ip.Addr in the Addresses slice, causing SIGSEGV when AsCIDR() is called

Changes

  • Added nil check at line 158 in l3_route_resolver.go before calling AsCIDR()
  • Added test case to verify nil addresses are handled correctly

Test plan

  • Code compiles with GOOS=linux go build ./felix/calc/
  • Tests compile with GOOS=linux go test -c ./felix/calc/
  • Code formatted with gofmt

@majiayu000 @claude
fix: add nil check in AddressesAsCIDRs to prevent SIGSEGV
0b71456 
When ExternalIP is empty in Kubernetes, a nil ip.Addr can end up in
the Addresses slice of l3rrNodeInfo. The existing cleanup logic only
removed emptyV4Addr and emptyV6Addr (zero-valued structs), but not nil
interface values. This caused a panic (SIGSEGV) when AsCIDR() was
called on a nil address at l3_route_resolver.go:166.

This fix adds a nil check to the cleanup loop to filter out nil
addresses before iterating and calling AsCIDR().

Fixes projectcalico#11384

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
Signed-off-by: majiayu000 <[email protected]>
@majiayu000 majiayu000 requested a review from a team as a code owner December 30, 2025 19:44
@marvin-tigera marvin-tigera added this to the Calico v3.32.0 milestone Dec 30, 2025
@marvin-tigera marvin-tigera added release-note-required Change has user-facing impact (no matter how small) docs-pr-required Change is not yet documented labels Dec 30, 2025
@CLAassistant
Copy link

CLAassistant commented Dec 30, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@caseydavenport
Copy link
Member

caseydavenport commented Dec 31, 2025

/sem-approve

@caseydavenport caseydavenport added the docs-not-required Docs not required for this change label Dec 31, 2025
@marvin-tigera marvin-tigera removed the docs-pr-required Change is not yet documented label Dec 31, 2025
@caseydavenport caseydavenport enabled auto-merge (squash) December 31, 2025 17:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@caseydavenport caseydavenport caseydavenport approved these changes

Assignees

No one assigned

Labels

docs-not-required Docs not required for this change release-note-required Change has user-facing impact (no matter how small)

Projects

None yet

Milestone

Calico v3.32.0

Development

Successfully merging this pull request may close these issues.

Calico SIGSEV on null address in Kubernetes (3.30.1)

4 participants

@majiayu000 @CLAassistant @caseydavenport @marvin-tigera