BIRD 2.0.7 Segmentation fault when using receive limit

Sun Nov 1 14:36:40 CET 2020

Hello, was anyone else able to reproduce this issue?
I've been able to reproduce it also using the code from master.

I paste some more info here, I hope they'll be useful to troubleshoot it.

Thanks

Pier Carlo

GDB:

bird: Started
bird: AS1_1: Started
bird: AS1_1: Incoming connection from 192.0.2.11 (port 44145) accepted
bird: AS1_1: BGP session established
bird: AS1_1: State changed to up
bird: AS1_1 > added [best] 1.0.1.0/24 unicast
bird: AS1_1 < rejected by protocol 1.0.1.0/24 unicast
bird: AS1_1 > added [best] 1.0.3.0/24 unicast
bird: AS1_1 < rejected by protocol 1.0.3.0/24 unicast
bird: AS1_1 > added [best] 1.0.2.0/24 unicast
bird: AS1_1 < rejected by protocol 1.0.2.0/24 unicast
bird: AS1_1 > added [best] 1.0.5.0/24 unicast
bird: AS1_1 < rejected by protocol 1.0.5.0/24 unicast
bird: Protocol AS1_1 hits route receive limit (4), action: disable

Program received signal SIGSEGV, Segmentation fault.
0x000055b5c20d8eb1 in net_format (N=0xcdcdcdcdcdcdcde5, buf=0x7ffc6c8d0570
"", buflen=257) at lib/net.c:82
82  switch (n->n.type)
(gdb)
(gdb)
(gdb) bt
#0  0x000055b5c20d8eb1 in net_format (N=0xcdcdcdcdcdcdcde5,
buf=0x7ffc6c8d0570 "", buflen=257) at lib/net.c:82
#1  0x000055b5c20da380 in bvsnprintf (buf=0x7ffc6c8d0770 "AS1_1 > ignored
[limit] \b", size=1000, fmt=0x55b5c218e478 "N %s",
    args=0x7ffc6c8d0be0) at lib/printf.c:246
#2  0x000055b5c20db3af in buffer_vprint (buf=0x7ffc6c8d0ba0,
fmt=0x55b5c218e46e "%s %c %s %N %s", args=0x7ffc6c8d0be0)
    at lib/printf.c:531
#3  0x000055b5c2161d0a in vlog (class=2, msg=0x55b5c218e46e "%s %c %s %N
%s", args=0x7ffc6c8d0be0) at sysdep/unix/log.c:219
#4  0x000055b5c2161e06 in log_msg (msg=0x55b5c218e46e "%s %c %s %N %s") at
sysdep/unix/log.c:244
#5  0x000055b5c20f7d35 in rte_trace (p=0x55b5c3a026a0, e=0x55b5c3a15598,
dir=62, msg=0x55b5c218e5f5 "ignored [limit]")
    at nest/rt-table.c:555
#6  0x000055b5c20f7d79 in rte_trace_in (flag=4, p=0x55b5c3a026a0,
e=0x55b5c3a15598, msg=0x55b5c218e5f5 "ignored [limit]")
    at nest/rt-table.c:562
#7  0x000055b5c20fbf06 in rte_update_in (c=0x55b5c3a029e0,
n=0x7ffc6c8d0e30, new=0x55b5c3a15598, src=0x55b5c3a0a5c0)
    at nest/rt-table.c:2493
#8  0x000055b5c211984d in rte_update3 (c=0x55b5c3a029e0, n=0x7ffc6c8d0e30,
new=0x55b5c3a15598, src=0x55b5c3a0a5c0)
    at ./nest/protocol.h:638
#9  0x000055b5c211d17a in bgp_rte_update (s=0x7ffc6c8d0f90,
n=0x7ffc6c8d0e30, path_id=0, a0=0x7ffc6c8d0e60)
    at proto/bgp/packets.c:1331
#10 0x000055b5c211d6e9 in bgp_decode_nlri_ip4 (s=0x7ffc6c8d0f90,
pos=0x55b5c3a0d33f "", len=0, a=0x7ffc6c8d0e60)
    at proto/bgp/packets.c:1479
#11 0x000055b5c211f2b5 in bgp_decode_nlri (s=0x7ffc6c8d0f90, afi=65537,
nlri=0x55b5c3a0d32b "\030\001", len=20,
    ea=0x55b5c3a132b0, nh=0x55b5c3a0d327 "\300", nh_len=4) at
proto/bgp/packets.c:2410
#12 0x000055b5c211f743 in bgp_rx_update (conn=0x55b5c3a028a8,
pkt=0x55b5c3a0d300 '\377' <repeats 16 times>, len=63)
    at proto/bgp/packets.c:2505
#13 0x000055b5c2120b75 in bgp_rx_packet (conn=0x55b5c3a028a8,
pkt=0x55b5c3a0d300 '\377' <repeats 16 times>, len=63)
    at proto/bgp/packets.c:3097
#14 0x000055b5c2120d02 in bgp_rx (sk=0x55b5c3a0d1b0, size=63) at
proto/bgp/packets.c:3142
#15 0x000055b5c215dd41 in call_rx_hook (s=0x55b5c3a0d1b0, size=63) at
sysdep/unix/io.c:1796
#16 0x000055b5c215e116 in sk_read (s=0x55b5c3a0d1b0, revents=1) at
sysdep/unix/io.c:1884
#17 0x000055b5c215f028 in io_loop () at sysdep/unix/io.c:2342
#18 0x000055b5c2164109 in main (argc=5, argv=0x7ffc6c8d13d8) at
sysdep/unix/main.c:923

valgrind:

root at c8fa0d485dcd:~# valgrind --leak-check=yes bird -c /etc/bird/bird.conf
-d -f
==270== Memcheck, a memory error detector
==270== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==270== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==270== Command: bird -c /etc/bird/bird.conf -d -f
==270==
...
bird: AS1_1: Started
bird: AS1_1: Incoming connection from 192.0.2.11 (port 59019) accepted
bird: AS1_1: BGP session established
bird: AS1_1: State changed to up
bird: AS1_1 > added [best] 1.0.1.0/24 unicast
bird: AS1_1 < rejected by protocol 1.0.1.0/24 unicast
bird: AS1_1 > added [best] 1.0.3.0/24 unicast
bird: AS1_1 < rejected by protocol 1.0.3.0/24 unicast
bird: AS1_1 > added [best] 1.0.2.0/24 unicast
bird: AS1_1 < rejected by protocol 1.0.2.0/24 unicast
bird: AS1_1 > added [best] 1.0.5.0/24 unicast
bird: AS1_1 < rejected by protocol 1.0.5.0/24 unicast
bird: Protocol AS1_1 hits route receive limit (4), action: disable
==270== Invalid read of size 1
==270==    at 0x159EB1: net_format (net.c:82)
==270==    by 0x15B37F: bvsnprintf (printf.c:246)
==270==    by 0x15C3AE: buffer_vprint (printf.c:531)
==270==    by 0x1E2D09: vlog (log.c:219)
==270==    by 0x1E2E05: log_msg (log.c:244)
==270==    by 0x178D34: rte_trace (rt-table.c:555)
==270==    by 0x178D78: rte_trace_in (rt-table.c:562)
==270==    by 0x17CF05: rte_update_in (rt-table.c:2493)
==270==    by 0x19A84C: rte_update3 (protocol.h:638)
==270==    by 0x19E179: bgp_rte_update (packets.c:1331)
==270==    by 0x19E6E8: bgp_decode_nlri_ip4 (packets.c:1479)
==270==    by 0x1A02B4: bgp_decode_nlri (packets.c:2410)
==270==  Address 0xcdcdcdcdcdcdcde5 is not stack'd, malloc'd or (recently)
free'd
==270==
==270==
==270== Process terminating with default action of signal 11 (SIGSEGV)
==270==  General Protection Fault
==270==    at 0x159EB1: net_format (net.c:82)
==270==    by 0x15B37F: bvsnprintf (printf.c:246)
==270==    by 0x15C3AE: buffer_vprint (printf.c:531)
==270==    by 0x1E2D09: vlog (log.c:219)
==270==    by 0x1E2E05: log_msg (log.c:244)
==270==    by 0x178D34: rte_trace (rt-table.c:555)
==270==    by 0x178D78: rte_trace_in (rt-table.c:562)
==270==    by 0x17CF05: rte_update_in (rt-table.c:2493)
==270==    by 0x19A84C: rte_update3 (protocol.h:638)
==270==    by 0x19E179: bgp_rte_update (packets.c:1331)
==270==    by 0x19E6E8: bgp_decode_nlri_ip4 (packets.c:1479)
==270==    by 0x1A02B4: bgp_decode_nlri (packets.c:2410)
==270==
==270== HEAP SUMMARY:
==270==     in use at exit: 156,337 bytes in 589 blocks
==270==   total heap usage: 867 allocs, 278 frees, 406,303 bytes allocated
==270==
==270== LEAK SUMMARY:
==270==    definitely lost: 0 bytes in 0 blocks
==270==    indirectly lost: 0 bytes in 0 blocks
==270==      possibly lost: 0 bytes in 0 blocks
==270==    still reachable: 156,337 bytes in 589 blocks
==270==         suppressed: 0 bytes in 0 blocks
==270== Reachable blocks (those to which a pointer was found) are not shown.
==270== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==270==
==270== For counts of detected and suppressed errors, rerun with: -v
==270== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault

On Sat, 24 Oct 2020 at 16:17, Pier Carlo Chiodi <pierky at pierky.com> wrote:

> Hello,
>
> I'm getting a "Segmentation fault" error on BIRD 2.0.7 when I use 'receive
> limit X'. I've got the error when using either 'action block' or 'action
> disable'. In the same scenario, if I change the config to use 'import limit
> X' everything works fine.
>
> The error happens as soon as the daemon receives the first "extra" route
> from its peer (in the example, the 5th route while the limit is 4). Output
> of '-d -f' can be found at the bottom of this msg. If the number of routes
> received from the peer is equal to the limit, the issue is not hit.
>
> I was able to consistently reproduce what I've mentioned above using the
> following config on a Docker container based on Debian 10.1 (Linux
> f484b919cd3a 4.19.76-linuxkit #1 SMP Tue May 26 11:42:35 UTC 2020 x86_64
> GNU/Linux - Dockerfile can be found here
> https://github.com/pierky/dockerfiles/blob/master/bird/2.0.7/Dockerfile).
>
> BIRD 1.6.8 works fine.
>
> Thanks.
>
> Pier Carlo
>
>
> router id 192.0.2.2;
> define rs_as = 999;
>
> log "/var/log/bird.log" all;
> log syslog all;
> debug protocols { states, routes, filters, interfaces, events };
>
> timeformat base         iso long;
> timeformat log          iso long;
> timeformat protocol     iso long;
> timeformat route        iso long;
>
> protocol device {};
>
> ipv4 table master4 sorted;
> ipv6 table master6 sorted;
>
> filter receive_from_AS1_1 {
> if !(source = RTS_BGP ) then
> reject "source != RTS_BGP - REJECTING ", net;
>
> if !(net.type = NET_IP4) then
> reject "AFI not enabled for this peer - REJECTING ", net;
>
> accept;
> }
>
> protocol bgp AS1_1 {
>
> local as 999;
> neighbor 192.0.2.11 as 1;
> rs client;
>
> passive on;
> ttl security off;
> interpret communities off;
>
> # ---------------------------------------
> ipv4 {
> table master4;
>
> secondary;
>
> receive limit 4 action block;
>
> import table on;
> import keep filtered on;
> import filter receive_from_AS1_1;
>
> export none;
>
> # ---------------------------------------
> };
> }
>
>
>
>
> Output of '-d -f':
>
>
> root at f484b919cd3a:~# bird -c /etc/bird/bird.conf -d -f
> bird: device1: Initializing
> bird: AS1_1: Channel ipv4 connected to table master4
> bird: AS1_1: Initializing
> bird: device1: Starting
> bird: device1: Scanning interfaces
> bird: device1: State changed to up
> bird: AS1_1: Starting
> bird: AS1_1: State changed to start
> bird: Started
> bird: AS1_1: Started
> bird: AS1_1: Incoming connection from 192.0.2.11 (port 49457) accepted
> bird: AS1_1: BGP session established
> bird: AS1_1: State changed to up
> bird: AS1_1 > added [best] 1.0.1.0/24 unicast
> bird: AS1_1 < rejected by protocol 1.0.1.0/24 unicast
> bird: AS1_1 > added [best] 1.0.3.0/24 unicast
> bird: AS1_1 < rejected by protocol 1.0.3.0/24 unicast
> bird: AS1_1 > added [best] 1.0.2.0/24 unicast
> bird: AS1_1 < rejected by protocol 1.0.2.0/24 unicast
> bird: AS1_1 > added [best] 1.0.5.0/24 unicast
> bird: AS1_1 < rejected by protocol 1.0.5.0/24 unicast
> bird: Protocol AS1_1 hits route receive limit (4), action: disable
> Segmentation fault
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20201101/ea3a5174/attachment.htm>