[PATCH] Wrong calculation in as_path_getlen, and check_aspa improvement suggestion
Ondrej Zajicek
santiago at crfreenet.org
Tue Sep 2 16:44:46 CEST 2025
On Sun, Aug 31, 2025 at 06:04:12PM +0200, Alarig Le Lay via Bird-users wrote:
> Hello,
>
> We (Evann and I) found a bug related to as_path_getlen() when used by
> aspa_check(). When a route contains an AS_SET segment type, the length
> returned by as_path_getlen() is incorrect. The function assumes that the
> length of an AS_PATH_SET is a single AS (1), while in reality an
> AS_PATH_SET is an unordered set of ASN (as described here
> https://www.rfc-editor.org/rfc/rfc4271#section-9.2.2.1).
Hello
Thanks, merged the second patch:
https://gitlab.nic.cz/labs/bird/-/commit/93012b3ac81bc8e2a0a9b7e48b552c269b0523d9
(I modified comments and expanded as_path_contains_set() to match also
AS_CONFED_SET, which is irrelevant to this case, but it is fitting.)
> Originally, the segfault was handled by returning ASPA_INVALID on AS_PATH
> that contained an AS_SET, but we discovered that this was not the real
> problem, but rather a bad allocation due to an incorrect calculation of
> the AS path length. We mitigated this issue with our first patch.
The real problem was using as_path_getlen() to estimate the size of a
buffer in general. The primary purpose of as_path_getlen() is to compute
AS_PATH length for the best route comparison, and here the AS_SET segment
should be considered of length 1:
https://www.rfc-editor.org/rfc/rfc4271#section-9.1.2.2
a) Remove from consideration all routes that are not tied for
having the smallest number of AS numbers present in their
AS_PATH attributes. Note that when counting this number, an
AS_SET counts as 1, no matter how many ASes are in the set.
Therefore, the first patch would break the best path selection.
--
Elen sila lumenn' omentielvo
Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
"To err is human -- to blame it on a computer is even more so."
More information about the Bird-users
mailing list