Crash when filtering routes in BGP protocol

Vincent Bernat bernat at luffy.cx
Sat Jul 6 23:34:29 CEST 2019 

Hey!

I am unsure if my message was successfully delivered to the appropriate
people (maybe it was filtered due to DKIM).
-- 
Follow each decision as closely as possible with its associated action.
            - The Elements of Programming Style (Kernighan & Plauger)

 ――――――― Original Message ―――――――
 From: Vincent Bernat <bernat at luffy.cx>
 Sent: 25 juin 2019 19:57 +02
 Subject: Crash when filtering routes in BGP protocol
 To: bird-users

> Hey!
>
> When filtering routes in BGP, I get the following crash with BIRD master:
>
> #v+
> Program received signal SIGSEGV, Segmentation fault.
> 0x000055555558ccdd in rta_free (r=0x55555558adc0 <rte_get_temp+16>) at ../nest/route.h:643
> 643     static inline void rta_free(rta *r) { if (r && !--r->uc) rta__free(r); }
> gdb$  bt full
> #0  0x000055555558ccdd in rta_free (r=0x55555558adc0 <rte_get_temp+16>) at ../nest/route.h:643
> No locals.
> #1  rte_update2 (c=0x5555555f3de0, n=0x7fffffffe2f0, n at entry=0x7fffffffe260, new=<optimized out>, src=0x5555555fec00) at ../nest/rt-table.c:1589
>         old_attrs = 0x55555558adc0 <rte_get_temp+16>
>         fr = <optimized out>
>         p = <optimized out>
>         stats = 0x5555555f3e78
>         filter = 0x5555555ed980
>         dummy = 0x0
>         nn = 0x7fffffffe210
> #2  0x000055555559ca0a in rte_update3 (src=<optimized out>, new=<optimized out>, n=<optimized out>, c=<optimized out>) at ../nest/protocol.h:628
> No locals.
> #3  bgp_rte_update (s=s at entry=0x7fffffffe350, n=n at entry=0x7fffffffe2f0, path_id=path_id at entry=4294959812, a0=a0 at entry=0x0) at ../proto/bgp/packets.c:1267
>         a = <optimized out>
>         e = <optimized out>
> #4  0x000055555559d6dd in bgp_decode_nlri_ip6 (s=0x7fffffffe350, pos=<optimized out>, len=<optimized out>, a=0x0) at ../proto/bgp/packets.c:1500
>         net = {type = 2 '\002', pxlen = 48 '0', length = 20, prefix = {addr = {536939960, 3722248192, 0, 0}}}
>         path_id = 4294959812
>         l = 48
>         addr = {addr = {3087860000, 56797, 0, 0}}
>         b = <optimized out>
> #5  0x000055555559aced in bgp_decode_nlri (s=s at entry=0x7fffffffe460, afi=<optimized out>, nlri=0x5555556034d0 "0 \001\r\270\335\335\060 \001\r\270\314\314@\001\001", len=14, ea=ea at entry=0x5555556065f0, nh=<optimized out>, nh_len=32) at ../proto/bgp/packets.c:2351
>         c = 0x5555555f3de0
>         a = 0x7fffffffe350
> #6  0x000055555559ed64 in bgp_rx_update (conn=conn at entry=0x5555555f3cd8, pkt=pkt at entry=0x555555603490 '\377' <repeats 16 times>, len=91) at ../proto/bgp/packets.c:2448
>         p = <optimized out>
>         ea = 0x5555556065f0
>         s = {proto = 0x5555555f3ad0, channel = 0x5555555f3de0, pool = 0x5555556019c0, as4_session = 1, add_path = 0, mpls = 0, attrs_seen = {16390, 0, 0, 0, 0, 0, 0, 0}, mp_reach_af = 131073, mp_unreach_af = 0, attr_len = 68, ip_reach_len = 0, ip_unreach_len = 0, ip_next_hop_len = 0, mp_reach_len = 14, mp_unreach_len = 0, mp_next_hop_len = 32, attrs = 0x5555556034a7 "\220\016", ip_reach_nlri = 0x5555556034eb '\377' <repeats 16 times>, ip_unreach_nlri = 0x5555556034a5 "", ip_next_hop_data = 0x0, mp_reach_nlri = 0x5555556034d0 "0 \001\r\270\335\335\060 \001\r\270\314\314@\001\001", mp_unreach_nlri = 0x0, mp_next_hop_data = 0x5555556034af " \001\r\270\252\252", err_withdraw = 0, err_subcode = 0, err_jmpbuf = {{__jmpbuf = {93824992885456, -942560477419964727, 93824992949408, 93824992885976, 0, 93824992949392, 942560477161682633, 6359628643728717513}, __mask_was_saved = 0, __saved_mask = {__val = {0 <repeats 16 times>}}}}, hostentry = 0x0, mpls_labels = 0x0, last_id = 0, last_src!
>   = 0x5555555fec00, cached_rta = 0x5555556075c8}
>         pos = <optimized out>
> #7  0x000055555559fadb in bgp_rx_packet (len=<optimized out>, pkt=0x555555603490 '\377' <repeats 16 times>, conn=0x5555555f3cd8) at ../proto/bgp/packets.c:3024
>         type = 2 '\002'
>         type = <optimized out>
> #8  bgp_rx (sk=0x555555601bb0, size=<optimized out>) at ../proto/bgp/packets.c:3069
>         conn = 0x5555555f3cd8
>         pkt_start = 0x555555603490 '\377' <repeats 16 times>
>         end = 0x555555603508 ""
>         i = <optimized out>
>         len = <optimized out>
> #9  0x00005555555a48da in call_rx_hook (s=0x555555601bb0, size=<optimized out>) at ../sysdep/unix/io.c:1794
> No locals.
> #10 0x00005555555a6db7 in sk_read (s=s at entry=0x555555601bb0, revents=1) at ../sysdep/unix/io.c:1882
>         c = <optimized out>
> #11 0x00005555555a781e in io_loop () at ../sysdep/unix/io.c:2344
>         s = <optimized out>
>         count = 1
>         poll_tout = <optimized out>
>         timeout = <optimized out>
>         nfds = <optimized out>
>         events = <optimized out>
>         pout = <optimized out>
>         t = <optimized out>
>         s = <optimized out>
>         n = <optimized out>
>         fdmax = 256
>         pfd = 0x555555601010
> #12 0x0000555555560f53 in main (argc=<optimized out>, argv=<optimized out>) at ../sysdep/unix/main.c:906
>         use_uid = <optimized out>
>         use_gid = <optimized out>
>         conf = 0x5555555eca10
> #v-
>
>
> Minimal configuration is:
>
> #v+
> log "/var/log/bird.log" all;
> router id 2.2.2.2;
>
> filter validated {
>    reject;
> }
>
> protocol device {
> }
>
> protocol bgp {
>    local as 65001;
>    neighbor 2001:db8:aaaa::0 as 65000;
>    ipv6 {
>       import filter validated;
>       export none;
>    };
> }
> #v-
>
> I have tried to fix that by initializing `old_attrs` to NULL, but this
> leads to crash elsewhere. Since I don't know what a temporary attribute
> is, I may miss the whole picture.

More information about the Bird-users mailing list