Reconfiguring MPLS channel while down causes segfault on bird 3.2.0
Max Hearnden
bird-user at zandoodle.me.uk
Fri Apr 3 17:03:34 CEST 2026
Just checked and my proposed solution wouldn't work as mpls_fec_map_new
requires a pool from the protocol which is only set when the protocol is up
Maybe the correct solution is to check for whether mpls_map is null in
mpls_channel_reconfigure and possibly explicitly set mpls_map to null in
mpls_channel_init if there's not already some mechanism to zero out the
memory a channel struct will use.
On 03/04/2026 01:38, Max Hearnden via Bird-users wrote:
> Hello, I've found an issue with bird 3.2.0 which can be reproduced
> with the following configuration (no peer required). Just run
> configure after starting bird.
>
>
> router id 1;
>
> mpls table mtab;
> mpls domain mdom;
>
> protocol bgp test {
> local 192.0.2.2 port 8179 as 65000;
> neighbor 192.0.2.1 as 65001;
> mpls {label policy aggregate;};
> }
>
> It appears that this issue is caused because c->mpls_map is only set
> in mpls_channel_start instead of mpls_channel_init which would also
> match the deallocation in mpls_channel_cleanup. This means that before
> the channel is first up c->mpls_map is null and would cause a null
> pointer dereference as part of mpls_fec_map_reconfigure (called in
> mpls_channel_reconfigure).
>
More information about the Bird-users
mailing list