Hello, bird with version >= 1.4.1 has the following bug: it falls with segmentation fault when it receives certain BGP UPDATE messages. In particular, the problem is triggered by a message with attributes but without NLRI section. An example of such message is End-of-RIB marker (an empty UPDATE) with additional multiprotocol extension attributes (such as MP_UNREACH_NLRI): 0000 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 0010 00 1e 02 00 00 00 07 90 0f 00 03 00 01 01 The problem is caused by null pointer reference in the function bgp_set_next_hop: struct eattr *nh = ea_find(a->eattrs, EA_CODE(EAP_BGP, BA_NEXT_HOP)); ip_addr *nexthop = (ip_addr *) nh->u.ptr->data; If the case of the UPDATE message above, a->eattrs field is NULL, and hence nh is NULL too, resulting in SIGSEGV. In bird <= 1.4.0 this function is called in bgp_do_rx_update only when nlri_len != 0 (I'm not sure it's safe enough, but at least it doesn't cause this problem). However, in v1.4.1 this behavior has been changed, and now bgp_set_next_hop is called for every UPDATE message with positive attr_len + nlri_len.
On Fri, Jun 20, 2014 at 05:24:51PM +0400, Evgeny Uskov wrote:
Hello,
bird with version >= 1.4.1 has the following bug: it falls with segmentation fault when it receives certain BGP UPDATE messages. In particular, the problem is triggered by a message with attributes but without NLRI section.
Hello This was fixed in 1.4.3: New release 1.4.3! Important bugfix in IPv6 BGP. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
participants (2)
-
Evgeny Uskov -
Ondrej Zajicek