Hey!
I am unsure if my message was successfully delivered to the appropriate
people (maybe it was filtered due to DKIM).
--
Follow each decision as closely as possible with its associated action.
- The Elements of Programming Style (Kernighan & Plauger)
――――――― Original Message ―――――――
From: Vincent Bernat <ber...@luffy.cx>
Sent: 25 juin 2019 19:57 +02
Subject: Crash when filtering routes in BGP protocol
To: bird-users
> Hey!
>
> When filtering routes in BGP, I get the following crash with BIRD master:
>
> #v+
> Program received signal SIGSEGV, Segmentation fault.
> 0x000055555558ccdd in rta_free (r=0x55555558adc0 <rte_get_temp+16>) at
> ../nest/route.h:643
> 643 static inline void rta_free(rta *r) { if (r && !--r->uc)
> rta__free(r); }
> gdb$ bt full
> #0 0x000055555558ccdd in rta_free (r=0x55555558adc0 <rte_get_temp+16>) at
> ../nest/route.h:643
> No locals.
> #1 rte_update2 (c=0x5555555f3de0, n=0x7fffffffe2f0, n@entry=0x7fffffffe260,
> new=<optimized out>, src=0x5555555fec00) at ../nest/rt-table.c:1589
> old_attrs = 0x55555558adc0 <rte_get_temp+16>
> fr = <optimized out>
> p = <optimized out>
> stats = 0x5555555f3e78
> filter = 0x5555555ed980
> dummy = 0x0
> nn = 0x7fffffffe210
> #2 0x000055555559ca0a in rte_update3 (src=<optimized out>, new=<optimized
> out>, n=<optimized out>, c=<optimized out>) at ../nest/protocol.h:628
> No locals.
> #3 bgp_rte_update (s=s@entry=0x7fffffffe350, n=n@entry=0x7fffffffe2f0,
> path_id=path_id@entry=4294959812, a0=a0@entry=0x0) at
> ../proto/bgp/packets.c:1267
> a = <optimized out>
> e = <optimized out>
> #4 0x000055555559d6dd in bgp_decode_nlri_ip6 (s=0x7fffffffe350,
> pos=<optimized out>, len=<optimized out>, a=0x0) at
> ../proto/bgp/packets.c:1500
> net = {type = 2 '\002', pxlen = 48 '0', length = 20, prefix = {addr =
> {536939960, 3722248192, 0, 0}}}
> path_id = 4294959812
> l = 48
> addr = {addr = {3087860000, 56797, 0, 0}}
> b = <optimized out>
> #5 0x000055555559aced in bgp_decode_nlri (s=s@entry=0x7fffffffe460,
> afi=<optimized out>, nlri=0x5555556034d0 "0 \001\r\270\335\335\060
> \001\r\270\314\314@\001\001", len=14, ea=ea@entry=0x5555556065f0,
> nh=<optimized out>, nh_len=32) at ../proto/bgp/packets.c:2351
> c = 0x5555555f3de0
> a = 0x7fffffffe350
> #6 0x000055555559ed64 in bgp_rx_update (conn=conn@entry=0x5555555f3cd8,
> pkt=pkt@entry=0x555555603490 '\377' <repeats 16 times>, len=91) at
> ../proto/bgp/packets.c:2448
> p = <optimized out>
> ea = 0x5555556065f0
> s = {proto = 0x5555555f3ad0, channel = 0x5555555f3de0, pool =
> 0x5555556019c0, as4_session = 1, add_path = 0, mpls = 0, attrs_seen = {16390,
> 0, 0, 0, 0, 0, 0, 0}, mp_reach_af = 131073, mp_unreach_af = 0, attr_len = 68,
> ip_reach_len = 0, ip_unreach_len = 0, ip_next_hop_len = 0, mp_reach_len = 14,
> mp_unreach_len = 0, mp_next_hop_len = 32, attrs = 0x5555556034a7 "\220\016",
> ip_reach_nlri = 0x5555556034eb '\377' <repeats 16 times>, ip_unreach_nlri =
> 0x5555556034a5 "", ip_next_hop_data = 0x0, mp_reach_nlri = 0x5555556034d0 "0
> \001\r\270\335\335\060 \001\r\270\314\314@\001\001", mp_unreach_nlri = 0x0,
> mp_next_hop_data = 0x5555556034af " \001\r\270\252\252", err_withdraw = 0,
> err_subcode = 0, err_jmpbuf = {{__jmpbuf = {93824992885456,
> -942560477419964727, 93824992949408, 93824992885976, 0, 93824992949392,
> 942560477161682633, 6359628643728717513}, __mask_was_saved = 0, __saved_mask
> = {__val = {0 <repeats 16 times>}}}}, hostentry = 0x0, mpls_labels = 0x0,
> last_id = 0, last_s!
rc!
> = 0x5555555fec00, cached_rta = 0x5555556075c8}
> pos = <optimized out>
> #7 0x000055555559fadb in bgp_rx_packet (len=<optimized out>,
> pkt=0x555555603490 '\377' <repeats 16 times>, conn=0x5555555f3cd8) at
> ../proto/bgp/packets.c:3024
> type = 2 '\002'
> type = <optimized out>
> #8 bgp_rx (sk=0x555555601bb0, size=<optimized out>) at
> ../proto/bgp/packets.c:3069
> conn = 0x5555555f3cd8
> pkt_start = 0x555555603490 '\377' <repeats 16 times>
> end = 0x555555603508 ""
> i = <optimized out>
> len = <optimized out>
> #9 0x00005555555a48da in call_rx_hook (s=0x555555601bb0, size=<optimized
> out>) at ../sysdep/unix/io.c:1794
> No locals.
> #10 0x00005555555a6db7 in sk_read (s=s@entry=0x555555601bb0, revents=1) at
> ../sysdep/unix/io.c:1882
> c = <optimized out>
> #11 0x00005555555a781e in io_loop () at ../sysdep/unix/io.c:2344
> s = <optimized out>
> count = 1
> poll_tout = <optimized out>
> timeout = <optimized out>
> nfds = <optimized out>
> events = <optimized out>
> pout = <optimized out>
> t = <optimized out>
> s = <optimized out>
> n = <optimized out>
> fdmax = 256
> pfd = 0x555555601010
> #12 0x0000555555560f53 in main (argc=<optimized out>, argv=<optimized out>)
> at ../sysdep/unix/main.c:906
> use_uid = <optimized out>
> use_gid = <optimized out>
> conf = 0x5555555eca10
> #v-
>
>
> Minimal configuration is:
>
> #v+
> log "/var/log/bird.log" all;
> router id 2.2.2.2;
>
> filter validated {
> reject;
> }
>
> protocol device {
> }
>
> protocol bgp {
> local as 65001;
> neighbor 2001:db8:aaaa::0 as 65000;
> ipv6 {
> import filter validated;
> export none;
> };
> }
> #v-
>
> I have tried to fix that by initializing `old_attrs` to NULL, but this
> leads to crash elsewhere. Since I don't know what a temporary attribute
> is, I may miss the whole picture.
