On Wed, Sep 19, 2018 at 01:45:03PM +0000, Aaron A. Glenn wrote: > * Theo de Raadt <[email protected]> [2018-09-19 11:34]: > > > > Repeat the test please. > > (gdb) bt > #0 0x00000bcf682ccf80 in memcpy (dst0=0x7f7ffffec304, src0=0xbceff4c9ffd, > length=4) > at /usr/src/lib/libc/string/memcpy.c:97 > #1 0x00000bccac440498 in aspath_verify (data=Variable "data" is not > available. > ) at /usr/src/usr.sbin/bgpd/util.c:488 > #2 0x00000bccac41a404 in rde_attr_parse (p=Variable "p" is not available. > ) at /usr/src/usr.sbin/bgpd/rde.c:1509 > #3 0x00000bccac417ee9 in rde_update_dispatch (imsg=0x7f7ffffec560) at > /usr/src/usr.sbin/bgpd/rde.c:1066 > #4 0x00000bccac41708a in rde_dispatch_imsg_session (ibuf=0xbceccd84000) at > /usr/src/usr.sbin/bgpd/rde.c:400 > #5 0x00000bccac41577b in rde_main (debug=0, verbose=Variable "verbose" is not > available. > ) at /usr/src/usr.sbin/bgpd/rde.c:309 > #6 0x00000bccac401047 in main (argc=0, argv=0x7f7ffffed248) at > /usr/src/usr.sbin/bgpd/bgpd.c:183 > (gdb) bt full > #0 0x00000bcf682ccf80 in memcpy (dst0=0x7f7ffffec304, src0=0xbceff4c9ffd, > length=4) > at /usr/src/lib/libc/string/memcpy.c:97 > dst = 0x7f7ffffec304 "" > src = 0xbceff4ca000 <Address 0xbceff4ca000 out of bounds> > t = 4 > #1 0x00000bccac440498 in aspath_verify (data=Variable "data" is not > available. > ) at /usr/src/usr.sbin/bgpd/util.c:488 > as = Cannot access memory at address 0x0 > (gdb) > > Had to build bgpd w/ symbols on another machine (though a timestamp matched > source tree) >
In short aspath_verify() runs over the end of the buffer and gets trapped on an unmapped memory access. Why this is happening is currently unclear to me. Re-reading code now. There were already some fixes in that area. What version of util.c do you have? (cvs status util.c or head -1 util.c) Can you 'tcpdump -s 1500 -w /tmp/bgp.pcap -ni <yourinterface> port bgp' and send me that pcap file. Maybe that allows me to reproduce the issue. -- :wq Claudio
