Segmentation fault caused by malformed BGP packet
Ivo Smits
Ivo at UFO-Net.nl
Mon May 30 17:45:20 CEST 2011
After running into trouble with bird 1.2.3 trying to display 32 bit AS
numbers (show route all resulted in a segmentation fault), we decided to
upgrade to 1.3.1. Unfortunately 1.3.1 crashed even sooner than 1.2.3.
One of the logs looks like this:
bird: UFO_4_0_bgp > added 1.0.49.0/24 via 1.82.98.2 on ppp-UFO_4-0
Segmentation fault
Disabling this peer fixed the crashes, enabling the peer brought them
back. After some investigation, it turned out that this BGP peer sends
an ORIGIN attribute even with BGP packets that only withdraw a route;
bird does not do this. Changing the peer's sourcecode to not send the
ORIGIN attribute for withdrawn routes, fixed the crashes in bird.
The segmentation fault suggests that there is a security issue in bird's
BGP update handling.
Attached is a pcap dump file containing a BGP session. 1.82.98.27 is the
bird router. Frame 30 contains a withdrawl update sent by bird, frame 31
contains the first withdrawl received by bird (offset 0x0525), which
also happens to be the next UPDATE after an update regarding
1.0.49.0/24, which is shown in the log just before bird crashes.
--
Ivo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: as27_bird_dump.pcap
Type: application/octet-stream
Size: 9024 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20110530/d4c37e35/attachment.obj>
More information about the Bird-users
mailing list