While investigating a problem reported by Sevan Janiyan (where interface
pppoe0 { passive } didn't get redisted) I ran into this reproducible
crash.
- start ospfd with a p2p interface (tried with pppoe and gif here).
"passive" is required, e.g. interface gif0 { passive }
- remove above p2p interface from config
- ospfctl reload
- *boom*
Considering the address of tree, it would appear to be a use after free.
(Hooray for kern.nosuidcoredump=3)
(gdb) bt
#0 0x00001e7559e24880 in lsa_tree_RB_FIND (head=0xdfdfdfdfdfdfdff7,
elm=0x7f7ffffe5310) at /usr/src/usr.sbin/ospfd/rde_lsdb.c:39
#1 0x00001e7559e25e63 in lsa_find_tree (tree=0xdfdfdfdfdfdfdff7, type=1,
ls_id=1224736778, adv_rtr=1224736778)
at /usr/src/usr.sbin/ospfd/rde_lsdb.c:526
#2 0x00001e7559e25da9 in lsa_find (iface=0x1e77c1c00000, type=1 '\001',
ls_id=1224736778, adv_rtr=1224736778)
at /usr/src/usr.sbin/ospfd/rde_lsdb.c:505
#3 0x00001e7559e2021f in rde_dispatch_imsg (fd=8, event=2,
bula=0x1e7814ade000) at /usr/src/usr.sbin/ospfd/rde.c:421
#4 0x00001e77681e81a8 in event_base_loop (base=0x1e77c1bff400, flags=Variable
"flags" is not available.
)
at /usr/src/lib/libevent/event.c:350
#5 0x00001e7559e1f862 in rde (xconf=0x1e77833ec800,
pipe_parent2rde=0x1e755a2358a8, pipe_ospfe2rde=0x1e755a2358b8,
pipe_parent2ospfe=0x1e755a2358a0) at /usr/src/usr.sbin/ospfd/rde.c:186
#6 0x00001e7559e1507e in main (argc=0, argv=0x7f7ffffe5b18)
at /usr/src/usr.sbin/ospfd/ospfd.c:242
