Hi, When debugging problems with ospfd and carp on startup, I managed to get ospfd to segfault a couple of times. I tracked down the issue to if_change() and main_imsg_compose_ospfe().
if_change() is called before imsg_init is called to initialize the imsgbuf struct. If a link state change to UP occurs during the small time frame the imsgbuf pointer is uninitialized, we have a null pointer dereference in main_imsg_compose_ospfe(). Safe-guard against this by simply not calling imsg_compose_event() if the imsgbuf pointer is null. Index: ospfd.c =================================================================== RCS file: /cvs/src/usr.sbin/ospfd/ospfd.c,v retrieving revision 1.83 diff -u -p -r1.83 ospfd.c --- ospfd.c 10 Feb 2015 05:24:48 -0000 1.83 +++ ospfd.c 27 May 2015 12:35:08 -0000 @@ -511,13 +511,15 @@ main_dispatch_rde(int fd, short event, v void main_imsg_compose_ospfe(int type, pid_t pid, void *data, u_int16_t datalen) { - imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen); + if (iev_ospfe) + imsg_compose_event(iev_ospfe, type, 0, pid, -1, data, datalen); } void main_imsg_compose_rde(int type, pid_t pid, void *data, u_int16_t datalen) { - imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen); + if (iev_rde) + imsg_compose_event(iev_rde, type, 0, pid, -1, data, datalen); } void