Reconfiguring MPLS channel while down causes segfault on bird 3.2.0
Hello, I've found an issue with bird 3.2.0 which can be reproduced with the following configuration (no peer required). Just run configure after starting bird. router id 1; mpls table mtab; mpls domain mdom; protocol bgp test { local 192.0.2.2 port 8179 as 65000; neighbor 192.0.2.1 as 65001; mpls {label policy aggregate;}; } It appears that this issue is caused because c->mpls_map is only set in mpls_channel_start instead of mpls_channel_init which would also match the deallocation in mpls_channel_cleanup. This means that before the channel is first up c->mpls_map is null and would cause a null pointer dereference as part of mpls_fec_map_reconfigure (called in mpls_channel_reconfigure).
Just checked and my proposed solution wouldn't work as mpls_fec_map_new requires a pool from the protocol which is only set when the protocol is up Maybe the correct solution is to check for whether mpls_map is null in mpls_channel_reconfigure and possibly explicitly set mpls_map to null in mpls_channel_init if there's not already some mechanism to zero out the memory a channel struct will use. On 03/04/2026 01:38, Max Hearnden via Bird-users wrote:
Hello, I've found an issue with bird 3.2.0 which can be reproduced with the following configuration (no peer required). Just run configure after starting bird.
router id 1;
mpls table mtab; mpls domain mdom;
protocol bgp test { local 192.0.2.2 port 8179 as 65000; neighbor 192.0.2.1 as 65001; mpls {label policy aggregate;}; }
It appears that this issue is caused because c->mpls_map is only set in mpls_channel_start instead of mpls_channel_init which would also match the deallocation in mpls_channel_cleanup. This means that before the channel is first up c->mpls_map is null and would cause a null pointer dereference as part of mpls_fec_map_reconfigure (called in mpls_channel_reconfigure).
Hi Max, thanks for the bug report. I've been able to reproduce it in our labs also, so can confirm it is indeed a bug in v3. I have forwarded it to our issue tracker and our dev team will investigate it further. If we need more information from you, we will let you know. Happy routing, David PS: Thanks for the pointers! David Petera (he/him) | BIRD Tech Support | CZ.NIC, z.s.p.o. On 4/3/26 02:38, Max Hearnden via Bird-users wrote:
Hello, I've found an issue with bird 3.2.0 which can be reproduced with the following configuration (no peer required). Just run configure after starting bird.
router id 1;
mpls table mtab; mpls domain mdom;
protocol bgp test { local 192.0.2.2 port 8179 as 65000; neighbor 192.0.2.1 as 65001; mpls {label policy aggregate;}; }
It appears that this issue is caused because c->mpls_map is only set in mpls_channel_start instead of mpls_channel_init which would also match the deallocation in mpls_channel_cleanup. This means that before the channel is first up c->mpls_map is null and would cause a null pointer dereference as part of mpls_fec_map_reconfigure (called in mpls_channel_reconfigure).
participants (2)
-
David Petera -
Max Hearnden