crash in ospf lsupd/dbdes (only if authentication enabled?)
Ondrej Zajicek
santiago at crfreenet.org
Wed Jan 8 13:25:04 CET 2020
On Wed, Jan 08, 2020 at 11:52:40AM +0000, Kenth Eriksson wrote:
> We have seen a bird crash due to memory corruption. The call stacks
> shows that it can happen at different locations, but they all seem to
> come from that the packet size becomes larger than the socket tx buffer
> size.
>
> Before the crash happens, the following trace can be observed in the
> log;
>
> 2020-01-08 11:06:52.584 <DBG> Assertion '*plen < ifa->sk->tbsize' failed at /usr/local/src/tm3000/ext/bird/proto/ospf/packet.c:97
>
> Debugging shows that *plen is 1504 (after adding auth_len of 32 bytes).
> The tbsize is set to 1492 which corresponds to the MTU size.
>
> The procedure ospf_pkt_maxsize does not take account for
> authentication, is that correct?
It should take account for authentication:
static inline uint ospf_pkt_maxsize(struct ospf_iface *ifa)
{ return ifa->tx_length - ifa->tx_hdrlen; }
...
ifa->tx_hdrlen = ifa_tx_hdrlen(ifa);
...
static inline uint
ifa_tx_hdrlen(struct ospf_iface *ifa)
{
struct ospf_proto *p = ifa->oa->po;
uint hlen = ospf_is_v2(p) ? IP4_HEADER_LENGTH : IP6_HEADER_LENGTH;
/* Relevant just for OSPFv2 */
if (ifa->autype == OSPF_AUTH_CRYPT)
{
hlen += ospf_is_v2(p) ? 0 : sizeof(struct ospf_auth3);
hlen += max_mac_length(ifa->passwords);
}
return hlen;
}
What do you have in ifa->tx_length and ifa->tx_hdrlen?
--
Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
More information about the Bird-users
mailing list