On Wed, Jan 08, 2020 at 11:52:40AM +0000, Kenth Eriksson wrote:
We have seen a bird crash due to memory corruption. The call stacks shows that it can happen at different locations, but they all seem to come from that the packet size becomes larger than the socket tx buffer size.
Before the crash happens, the following trace can be observed in the log;
2020-01-08 11:06:52.584 <DBG> Assertion '*plen < ifa->sk->tbsize' failed at /usr/local/src/tm3000/ext/bird/proto/ospf/packet.c:97
Debugging shows that *plen is 1504 (after adding auth_len of 32 bytes). The tbsize is set to 1492 which corresponds to the MTU size.
The procedure ospf_pkt_maxsize does not take account for authentication, is that correct?
It should take account for authentication: static inline uint ospf_pkt_maxsize(struct ospf_iface *ifa) { return ifa->tx_length - ifa->tx_hdrlen; } ... ifa->tx_hdrlen = ifa_tx_hdrlen(ifa); ... static inline uint ifa_tx_hdrlen(struct ospf_iface *ifa) { struct ospf_proto *p = ifa->oa->po; uint hlen = ospf_is_v2(p) ? IP4_HEADER_LENGTH : IP6_HEADER_LENGTH; /* Relevant just for OSPFv2 */ if (ifa->autype == OSPF_AUTH_CRYPT) { hlen += ospf_is_v2(p) ? 0 : sizeof(struct ospf_auth3); hlen += max_mac_length(ifa->passwords); } return hlen; } What do you have in ifa->tx_length and ifa->tx_hdrlen? -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."