Bug 238496

Summary: net/bird: SIGSEGV after unexpected self-originated LSA
Product: Ports & Packages Reporter: pbd
Component: Individual Port(s)Assignee: Olivier Cochard <olivier>
Status: Closed FIXED    
Severity: Affects Only Me CC: jch
Priority: --- Flags: bugzilla: maintainer-feedback? (olivier)
Version: Latest   
Hardware: amd64   
OS: Any   

Description pbd 2019-06-11 12:38:40 UTC 
Bird 1.6.6_1 crashes,  most likely after receiving an unexpected self-originated LSA, as log says: 

17:08:06 xxx bird: Received unexpected self-originated LSA
17:08:06 xxx bird: Installing LSA: Type: 2002, Id: 192.168.144.12, Rt: 192.168.144.12, Seq: 80000001, Age: 3600
17:08:06 xxx bird: Received unexpected self-originated LSA
17:08:06 xxx bird: Installing LSA: Type: 2002, Id: 169.254.1.0, Rt: 192.168.144.12, Seq: 80000001, Age: 3600
17:08:07 xxx kernel: pid 2091 (bird), uid 0: exited on signal 11 (core dumped)

The backtrace is:

--- snip ---

# gdb bird bird.core-pkg 
...
Core was generated by `/usr/local/sbin/bird -c router.bird4.conf'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000000000429c90 in ospf_rt_notify (P=0x80126e320, tbl=<value optimized out>, 
    n=0x8012202a0, new=<value optimized out>, old=<value optimized out>, ea=0xc)
    at ../../../proto/ospf/topology.c:1281
1281	  u32 tag = ea_get_int(ea, EA_OSPF_TAG, 0);
(gdb) backtrace full
#0  0x0000000000429c90 in ospf_rt_notify (P=0x80126e320, tbl=<value optimized out>, 
    n=0x8012202a0, new=<value optimized out>, old=<value optimized out>, ea=0xc)
    at ../../../proto/ospf/topology.c:1281
	p = (struct ospf_proto *) 0x80126e320
	a = (rta *) 0x80123ca28
	m1 = 19006112
	m2 = <value optimized out>
	metric = 32767
	fwd = <value optimized out>
	tag = <value optimized out>
	oa = <value optimized out>
	ebit = <value optimized out>
	nf = <value optimized out>
#1  0x000000000042b414 in ospf_rx_hook (sk=0x80126e320, len=<value optimized out>)
    at ../../../proto/ospf/packet.c:418
	err_val = <value optimized out>
	ifa = (struct ospf_iface *) 0x7fffffffe890
	p = (struct ospf_proto *) 0x8012203e0
	pkt = (struct ospf_packet *) 0x80126e320
	plen = <value optimized out>
	err_dsc = <value optimized out>
	areaid = <value optimized out>
	rid = <value optimized out>
	instance_id = <value optimized out>
	n = (struct ospf_neighbor *) 0x80126e320
#2  0x0000000000429632 in ospf_update_lsadb (p=0x0) at ../../../proto/ospf/topology.c:483
	real_age = <value optimized out>
	en = (struct top_hash_entry *) 0x80122d190
	nxt = (struct top_hash_entry *) 0x0
#3  0x000000000044b3df in krt_do_scan () at krt-sock.c:886
	krt_bufmin = 6793000
	krt_buffer_owner = (struct proto *) 0x0
	krt_buffer = (byte *) 0x677578 "ð{g"
	krt_table_cf = 0x67a700
	krt_buflen = 6793008
	kif_proto = (struct kif_proto *) 0x67a940
	krt_max_tables = 0
#4  0x0000000000451604 in number (str=0x429632 "À\017\204J\002", num=34378797456, base=1, 
    size=-1062711132, precision=0, type=19059136, remains=<value optimized out>)
    at printf.c:65
	tmp = 0x7fffffffe960 "\001"
	digits = 0x0
	sign = Cannot access memory at address 0x0
Current language:  auto; currently minimal

--- snip ---

I was not able to reproduce the crash in bird 1.6.6 compiled manually from sources, i. e. without the FreeBSD patches to the bird (see bug #232231).
Comment 1 Olivier Cochard freebsd_committer freebsd_triage 2019-06-20 20:56:13 UTC 
Hi, following exchange with original author of the port's OSPF patch:

Your core dump shows that you didn't have the patch applied: file topology.c, line 1281 calling ea_get_int().
If you apply the patch, line 1281 is an empty line and can't call ea_get_int().

So, are you sure you meet the problem WITH the patch applied ?
Comment 2 pbd 2019-06-24 12:55:10 UTC 
(In reply to Olivier Cochard from comment #1)

I'm sorry, you are right. The backtrace I sent was bad, but the fact that I can reproduce the crash only when using Bird with the patch still stands.

I've tried to make the right backtrace, but it looks to contain less information and I don't know why. I have added --enable-debug to CONFIGURE_ARGS in /usr/ports/net/bird/Makefile, rebuilt and reinstalled the daemon, crashed it and tried to generate the backtrace:

--- snip ---

# gdb bird bird.core-ports 
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "amd64-marcel-freebsd"...(no debugging symbols found)...
Core was generated by `/usr/local/sbin/bird -c /usr/local/kernun/etc/router.bird4.conf'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libthr.so.3...(no debugging symbols found)...done.
Loaded symbols for /lib/libthr.so.3
Reading symbols from /lib/libc.so.7...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x000000000042ab70 in ospf_originate_lsa ()
(gdb) backtrace full
#0  0x000000000042ab70 in ospf_originate_lsa ()
No symbol table info available.
#1  0x000000000042c3dd in ospf_update_topology ()
No symbol table info available.
#2  0x000000000042a512 in ospf_disp ()
No symbol table info available.
#3  0x000000000044cc5f in io_loop ()
No symbol table info available.
#4  0x000000000045307a in main ()
No symbol table info available.

--- snip ---

I don't know why there is no symbol table info available.
Comment 3 commit-hook freebsd_committer freebsd_triage 2019-08-28 03:16:08 UTC 
A commit references this bug:

Author: olivier
Date: Wed Aug 28 03:15:33 UTC 2019
New revision: 510039
URL: https://svnweb.freebsd.org/changeset/ports/510039

Log:
  Custom OSPF "wrong LSA collision detection patch" is in conflict with the fix
  included in bird 1.6.7 and generate crashes, so remove it.

  PR:		238496
  Submitted by:	pbd@pbd.name
  Reported by:	Ondrej Zajicek <santiago@crfreenet.org>

Changes:
  head/net/bird/Makefile
  head/net/bird/files/patch-proto__ospf__lsupd.c
  head/net/bird/files/patch-proto__ospf__topology.c
Comment 4 Olivier Cochard freebsd_committer freebsd_triage 2019-08-28 03:23:31 UTC 
This problem was fixed in a different way in the latest bird (1.6.7), and this patch was generating a crash, so it was removed.
If you meet problem with 1.6.6, this should mean it was already creating problem on this version.
Sorry for the delay.