Segmentation fault on EOR
Evgeny Uskov
eu at qrator.net
Fri Jun 20 15:24:51 CEST 2014
Hello,
bird with version >= 1.4.1 has the following bug: it falls with
segmentation fault when it receives certain BGP UPDATE messages. In
particular, the problem is triggered by a message with attributes but
without NLRI section. An example of such message is End-of-RIB marker
(an empty UPDATE) with additional multiprotocol extension attributes
(such as MP_UNREACH_NLRI):
0000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
0010 00 1e 02 00 00 00 07 90 0f 00 03 00 01 01
The problem is caused by null pointer reference in the function
bgp_set_next_hop:
struct eattr *nh = ea_find(a->eattrs, EA_CODE(EAP_BGP, BA_NEXT_HOP));
ip_addr *nexthop = (ip_addr *) nh->u.ptr->data;
If the case of the UPDATE message above, a->eattrs field is NULL, and
hence nh is NULL too, resulting in SIGSEGV.
In bird <= 1.4.0 this function is called in bgp_do_rx_update only when
nlri_len != 0 (I'm not sure it's safe enough, but at least it doesn't
cause this problem). However, in v1.4.1 this behavior has been
changed, and now bgp_set_next_hop is called for every UPDATE message
with positive attr_len + nlri_len.
More information about the Bird-users
mailing list