BIRD 2.0.7 segfault in route filters

Damian Zaremba damian at damianzaremba.co.uk
Sun Dec 27 21:58:57 CET 2020 

Hi,

It appears there is a segfault in the route specific filters, this was 
initially observed during a `configure`, but appears to be easily 
reproducible with startup config.

Environment:
OS: Ubuntu Focal/Xenial (from latest image on DockerHub)
GCC: 9.3.0 / 5.4.0
Bird: 2.0.7 (from https://bird.network.cz/download/bird-2.0.7.tar.gz) / 
61dae32 from Git
Build options: --enable-debug / no options

Reproduction configuration file;
```
router id 192.0.2.0;

protocol device {}

protocol static {
   ipv4 {};
   route 192.0.2.0/24 via "lo" {
      return false;
   };
}
```

Backtrace;
```
Reading symbols from bird...
BIRD pretty printers loaded OK.
BIRD pretty printers loaded OK.
(gdb) r -d -c test.conf
Starting program: /bird-2.0.7/bird -d -c test.conf
warning: Error disabling address space randomization: Operation not 
permitted
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Filter line 0000558f4c848340 (len=2)
Instruction FI_CONSTANT at line 8
  value FALSE
Instruction FI_RETURN at line 8
Filter line 0000558f4c848340 dump done
Interpreting line. Filter line 0000558f4c848340 (len=2)
  Instruction FI_CONSTANT at line 8
   value FALSE
  Instruction FI_RETURN at line 8
  Filter line 0000558f4c848340 dump done

Program received signal SIGSEGV, Segmentation fault.
0x0000558f4b269796 in interpret (fs=0x7efd219df730, line=0x558f4c848340, 
val=0x0) at filter/f-inst.c:890
890        fstk->vcnt = fstk->estk[fstk->ecnt].ventry - 1;
(gdb) bt
#0  0x0000558f4b269796 in interpret (fs=0x7efd219df730, 
line=0x558f4c848340, val=0x0) at filter/f-inst.c:890
#1  0x0000558f4b26da99 in f_eval_rte (expr=0x558f4c848340, 
rte=0x7ffc421efc40, tmp_pool=0x558f4c856060) at filter/filter.c:352
#2  0x0000558f4b2f9c5e in static_announce_rte (p=0x558f4c84e7b0, 
r=0x558f4c8481e0) at proto/static/static.c:106
#3  0x0000558f4b2fa13a in static_add_rte (p=0x558f4c84e7b0, 
r=0x558f4c8481e0) at proto/static/static.c:228
#4  0x0000558f4b2fa9d9 in static_start (P=0x558f4c84e7b0) at 
proto/static/static.c:432
#5  0x0000558f4b29501f in proto_rethink_goal (p=0x558f4c84e7b0) at 
nest/proto.c:1173
#6  0x0000558f4b294e7f in protos_commit (new=0x558f4c842400, old=0x0, 
force_reconfig=0, type=1) at nest/proto.c:1132
#7  0x0000558f4b261018 in config_do_commit (c=0x558f4c842400, type=1) at 
conf/conf.c:271
#8  0x0000558f4b2611ef in config_commit (c=0x558f4c842400, type=1, 
timeout=0) at conf/conf.c:361
#9  0x0000558f4b30b793 in main (argc=4, argv=0x7ffc421eff58) at 
sysdep/unix/main.c:908
```

It would be useful to be able to reject routes from their filter (to 
enable suppression in function logic, either via return or reject), 
however in the worst case the syntax should result in an invalid 
configuration error rather than a crash.

Let me know if you need any more info.

Cheers

- Damian

More information about the Bird-users mailing list