OSPF virtual link segfault in 1.3.7 (wheezy)

Kristian Lyngstol kristian at bohemians.org
Fri Oct 12 15:09:36 CEST 2012 

Greetings.

I just started playing with bird yesterday (my first endeavour into
dynamic routing). I got OSPF set up nicely, but wanted to use multiple
areas. I'm using OPSFv3(bird6/IPv6).

There are essentially two issues I'm having:

1. "It doesn't work." This is probably just because I've not configured
   it correctly yet and is somewhat secondary.
2. Whenever I throw 'virtual link' in an area, bird segfaults on
   startup. I sort of assume my configuration has a logical flaw which
   is triggering it, but I've yet to see what.

The bird6 config looks like this:

---- quote ----

log syslog all;
router id 10.0.0.1;
debug protocols all;
protocol kernel {
	learn;			# Learn all alien routes from the kernel
	persist;		# Don't remove routes on bird shutdown
	scan time 20;		# Scan kernel routing table every 20 seconds
#	import none;		# Default is import all
	export all;		# Default is export none
#	kernel table 5;		# Kernel table to synchronize with (default: main)
}
protocol device {
	scan time 10;		# Scan interfaces every 10 seconds
}

protocol static {
}

protocol ospf MyOSPF {
	area 0.0.0.0 {
		stub no;
		interface "eth2";
	};
	area 0.0.0.2 {
		stub yes;
		interface "eth1";
		virtual link 10.30.0.1;
	};
}

protocol radv {
	interface "eth1";
}

---- end quote ----

It's worth noting that the above config was just set up to trigger this.
10.30.0.1 is a not connected to the backbone, and that's where I
originally ran into this when I tried to figure out how to get a router
not directly connected to the backbone to play along with the rest...

This is all within a VM. I've tried some other variations of the same
setup and it still breaks the moment I mention 'virtual link'. Again, I
assume this config is wrong, but it obviously shouldn't segfault anyway.

Here's the relevant syslog entries with timestamps trimmed:

---- start quote ----

bird6: Started
bird6: device1: State changed to up
bird6: kernel1: Connected to table master
bird6: kernel1: State changed to up
bird6: static1 < interface lo goes up
bird6: static1 < interface eth1 goes up
bird6: static1 < interface eth0 goes up
bird6: static1: State changed to up
bird6: MyOSPF: Connected to table master
bird6: MyOSPF < interface lo goes up
bird6: MyOSPF < primary address ::1/128 on interface lo added
bird6: MyOSPF < interface eth1 goes up
bird6: MyOSPF < primary address 2a02:fe0:cf16:79::/64 on interface eth1 added
bird6: MyOSPF < secondary address fe80::/64 on interface eth1 added
bird6: MyOSPF: Adding interface eth1 (IID 0) to area 0.0.0.2
bird6: MyOSPF < interface eth0 goes up
bird6: MyOSPF < primary address 2a02:fe0:cf16:78::/64 on interface eth0 added
bird6: MyOSPF < secondary address fe80::/64 on interface eth0 added
bird6: MyOSPF: State changed to up
bird6: radv1 < interface lo goes up
bird6: radv1 < primary address ::1/128 on interface lo added
bird6: radv1 < interface eth1 goes up
bird6: radv1: Adding interface eth1
bird6: radv1 < primary address 2a02:fe0:cf16:79::/64 on interface eth1 added
bird6: radv1 < secondary address fe80::/64 on interface eth1 added
bird6: radv1 < interface eth0 goes up
bird6: radv1 < primary address 2a02:fe0:cf16:78::/64 on interface eth0 added
bird6: radv1 < secondary address fe80::/64 on interface eth0 added
bird6: radv1: State changed to up
bird6: kernel1: Scanning routing table
bird6: kernel1: Pruning table master
bird6: kernel1: Pruning inherited routes
bird6: radv1: Event Init on eth1
bird6: MyOSPF: Changing state of iface eth1 from down to waiting
bird6: MyOSPF: Scheduling router-LSA origination for area 0.0.0.2
bird6: MyOSPF: HELLO packet sent via eth1
bird6: MyOSPF: Scheduling link-LSA origination for iface eth1
bird6: radv1: Timer fired on eth1
bird6: radv1: Sending RA via eth1
bird6: MyOSPF: Originating router-LSA for area 0.0.0.2
bird6: MyOSPF: Scheduling routing table calculation
bird6: MyOSPF: Originating router prefix-LSA for area 0.0.0.2
bird6: MyOSPF: Originating link-LSA for iface eth1
kernel: [127469.292849] bird6[5956]: segfault at 28 ip 00007f85aab58a9b sp 00007fffece33910 error 4 in bird6[7f85aab2b000+65000]

---- quote end ----

This is all running on a Debian Wheezy VM (on a debian wheezy host, if
it matters).

I did a backtrace of the segfault too, and it's a fairly straight
forward null pointer deref:


---- quote ----

(gdb) run -d -c /etc/bird6.conf 
Starting program: /usr/sbin/bird6 -d -c /etc/bird6.conf
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000555555581a9b in ospf_lsa_flooding_allowed (lsa=0x7fffffffe8c0, domain=2, 
    ifa=0x5555557ca5e0) at ../../../proto/ospf/lsupd.c:122
122	      return ifa->iface->index == domain;
(gdb) bt
#0  0x0000555555581a9b in ospf_lsa_flooding_allowed (lsa=0x7fffffffe8c0, 
    domain=2, ifa=0x5555557ca5e0) at ../../../proto/ospf/lsupd.c:122
#1  0x0000555555581b65 in ospf_lsupd_flood (po=0x5555557c8f20, n=0x0, hn=0x0, 
    hh=0x7fffffffe8c0, domain=2, rtl=1) at ../../../proto/ospf/lsupd.c:172
#2  0x000055555557a957 in originate_link_lsa (ifa=0x5555557ca810)
    at ../../../proto/ospf/topology.c:1219
#3  0x000055555557a9dc in update_link_lsa (ifa=0x5555557ca810)
    at ../../../proto/ospf/topology.c:1235
#4  0x0000555555578040 in area_disp (oa=0x5555557ca2f0)
    at ../../../proto/ospf/ospf.c:455
#5  0x0000555555578098 in ospf_disp (timer=<optimized out>)
    at ../../../proto/ospf/ospf.c:475
#6  0x0000555555597de8 in tm_shot () at io.c:374
#7  io_loop () at io.c:1560
#8  0x000055555555c065 in main (argc=<optimized out>, argv=<optimized out>)
    at main.c:699
(gdb) frame 0
#0  0x0000555555581a9b in ospf_lsa_flooding_allowed (lsa=0x7fffffffe8c0, 
    domain=2, ifa=0x5555557ca5e0) at ../../../proto/ospf/lsupd.c:122
122	      return ifa->iface->index == domain;
(gdb) display ifa->iface
1: ifa->iface = (struct iface *) 0x0
(gdb) display *iface
(gdb) display *ifa  
2: *ifa = {n = {next = 0x5555557ca810, prev = 0x5555557c90d0}, iface = 0x0, 
  addr = 0x0, oa = 0x5555557ca040, cf = 0x5555557c58c0, pool = 0x5555557ca580, 
  sk = 0x0, neigh_list = {head = 0x5555557ca628, null = 0x0, 
    tail = 0x5555557ca620}, cost = 0, waitint = 40, rxmtint = 5, pollint = 0, 
  deadint = 40, vid = 169738241, vip = {addr = {0, 0, 0, 0}}, vifa = 0x0, 
  voa = 0x5555557ca2f0, inftransdelay = 1, helloint = 10, drip = {addr = {0, 
      0, 0, 0}}, bdrip = {addr = {0, 0, 0, 0}}, drid = 0, bdrid = 0, 
  rt_pos_beg = 0, rt_pos_end = 0, px_pos_beg = 0, px_pos_end = 0, 
  dr_iface_id = 0, instance_id = 0 '\000', type = 4 '\004', 
  strictnbma = 0 '\000', stub = 0 '\000', state = 0 '\000', wait_timer = 0x0, 
  hello_timer = 0x5555557ca720, poll_timer = 0x0, net_lsa = 0x0, orignet = 0, 
  origlink = 0, link_lsa = 0x0, pxn_lsa = 0x0, fadj = 0, nbma_list = {
    head = 0x5555557ca6f8, null = 0x0, tail = 0x5555557ca6f0}, 
  priority = 0 '\000', ioprob = 0 '\000', sk_dr = 0 '\000', marked = 0 '\000', 
  rxbuf = 0, check_link = 0 '\000', ecmp_weight = 0 '\000'}
(gdb) quit

---- quote end ----

Hopefully someone can help me out, otherwise I suppose I'll dig into it
this weekend.

I did take a quick look at the diff between 1.3.7 and master, but the
changes seemed somewhat insignificant for this specific issue. Either
way, I'll build it from the master branch tomorrow to test.

- Kristian

More information about the Bird-users mailing list