crash in ospf lsupd/dbdes (only if authentication enabled?)

Kenth Eriksson Kenth.Eriksson at infinera.com
Wed Jan 8 12:52:40 CET 2020 

We have seen a bird crash due to memory corruption. The call stacks
shows that it can happen at different locations, but they all seem to
come from that the packet size becomes larger than the socket tx buffer
size.  

Before the crash happens, the following trace can be observed in the
log;  

2020-01-08 11:06:52.584 <DBG> 	Assertion '*plen < ifa->sk->tbsize' failed at /usr/local/src/tm3000/ext/bird/proto/ospf/packet.c:97

Debugging shows that *plen is 1504 (after adding auth_len of 32 bytes).
The tbsize is set to 1492 which corresponds to the MTU size.

The procedure ospf_pkt_maxsize does not take account for
authentication, is that correct? 

valgrind evidence of issue;

==3272== Invalid write of size 4
==3272== at 0xFFB8594: memcpy (in /usr/lib/valgrind/vgpreload_memcheck-ppc32-linux.so)
==3272== by 0x10015F6F: ??? (in /opt/appl/cuappl04a-r34a-39/sbin/bird)
==3272== by 0x10039B87: ??? (in /opt/appl/cuappl04a-r34a-39/sbin/bird)
==3272== by 0x1002E813: ??? (in /opt/appl/cuappl04a-r34a-39/sbin/bird)
==3272== by 0x1003978F: ??? (in /opt/appl/cuappl04a-r34a-39/sbin/bird)
==3272== by 0x10046963: ??? (in /opt/appl/cuappl04a-r34a-39/sbin/bird)
==3272== by 0x100473B7: ??? (in /opt/appl/cuappl04a-r34a-39/sbin/bird)
==3272== by 0x1000245F: ??? (in /opt/appl/cuappl04a-r34a-39/sbin/bird)

(gdb) list *0x1002E813
0x1002e813 is in ospf_do_send_dbdes (/usr/local/src/builduser/rc/rel_34_0/ext/bird/proto/ospf/dbdes.c:196).
191	  struct ospf_iface *ifa = n->ifa;
192	
193	  OSPF_PACKET(ospf_dump_dbdes, n->ldd_buffer,
194		      "DBDES packet sent to nbr %R on %s", n->rid, ifa->ifname);
195	  sk_set_tbuf(ifa->sk, n->ldd_buffer);
196	  ospf_send_to(ifa, n->ip);
197	  sk_set_tbuf(ifa->sk, NULL);
198	}
199	
200	/**
(gdb) list *0x10039B87
0x10039b87 is in ospf_send_to (/usr/local/src/builduser/rc/rel_34_0/ext/bird/proto/ospf/packet.c:110).
105	    if (pass->alg < ALG_HMAC)
106	      strncpy(auth_tail, pass->password, auth_len);
107	    else
108	      memset32(auth_tail, HMAC_MAGIC, auth_len / 4);
109	
110	    mac_fill(pass->alg, pass->password, pass->length, (byte *) pkt, *plen, auth_tail);
111	    break;
112	
113	  default:
114	    bug("Unknown authentication type");
(gdb) list *0x10015F6F
0x10015f6f is in mac_fill (/usr/local/src/builduser/rc/rel_34_0/ext/bird/lib/mac.h:112).
107	
108	static inline void mac_update(struct mac_context *ctx, const byte *data, uint datalen)
109	{ ctx->type->update(ctx, data, datalen); }
110	
111	static inline byte *mac_final(struct mac_context *ctx)
112	{ return ctx->type->final(ctx); }
113	
114	static inline void mac_cleanup(struct mac_context *ctx)
115	{ memset(ctx, 0, ctx->type->ctx_length); }
116	
(gdb) 

ASAN evidence of the crash;

=================================================================
==3202==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4105a64 at pc 0x38630004 bp 0xbf958200 sp 0xbf958218
WRITE of size 4 at 0xb4105a64 thread T0
#0 0x38630000 (+0x10630000)
#1 0xfb2aa10 in __asan_report_error (/usr/lib/gcc/powerpc-unknown-linux-gnu/4.9.3/libasan.so.1+0x65a10)
#2 0xfb2bd70 in __asan_report_store4 (/usr/lib/gcc/powerpc-unknown-linux-gnu/4.9.3/libasan.so.1+0x66d70)
#3 0x100d26d0 in ospf_send_to (/opt/appl/cuappl04a-r34a-39/sbin/bird+0x100d26d0)

0xb4105a64 is located 0 bytes to the right of 1508-byte region [0xb4105480,0xb4105a64)
allocated by thread T0 here:
#0 0x10060ab4 in bird_xmalloc (/opt/appl/cuappl04a-r34a-39/sbin/bird+0x10060ab4)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x36820af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36820b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36820b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36820b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36820b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36820b40: 00 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa
0x36820b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36820b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36820b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36820b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36820b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==3202==ABORTING

More information about the Bird-users mailing list