-
Bug
-
Resolution: Done
-
Medium
-
None
-
None
-
None
I’ve got a crash in VPP (last stable/1801) when testing VXLan/GPE with Openstack + networking VPP.
The call stack is the following :
0: gid_dictionary_sd_lookup:476: address type 7 not supported!
Thread 1 "vpp_main" received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) where
#0 0x0000000000000000 in ?? ()
#1 0x00007ffff70889d6 in gid_address_copy (dst=0x7fffb6a729a8, src=0x7fffb6a72b40)
at /home/stack/VPP_1801/vpp/build-data/../src/vnet/lisp-cp/lisp_types.c:1498
#2 0x00007ffff70ab15a in queue_map_request (seid=0x7fffb6a72b40, deid=0x7fffb6a72b90,
smr_invoked=0 '\000', is_resend=0 '\000')
at /home/stack/VPP_1801/vpp/build-data/../src/vnet/lisp-cp/control.c:4558
#3 0x00007ffff70a6282 in lisp_cp_lookup_inline (vm=0x7ffff7b89480 <vlib_global_main>,
node=0x7fffb6e02400, from_frame=0x7fffb6e62940, overlay=16389)
at /home/stack/VPP_1801/vpp/build-data/../src/vnet/lisp-cp/control.c:3529
#4 0x00007ffff70a6585 in lisp_cp_lookup_l2 (vm=0x7ffff7b89480 <vlib_global_main>,
node=0x7fffb6e02400, from_frame=0x7fffb6e62940)
at /home/stack/VPP_1801/vpp/build-data/../src/vnet/lisp-cp/control.c:3577
#5 0x00007ffff78e6cd1 in dispatch_node (vm=0x7ffff7b89480 <vlib_global_main>,
node=0x7fffb6e02400, type=VLIB_NODE_TYPE_INTERNAL, dispatch_state=VLIB_NODE_STATE_POLLING,
frame=0x7fffb6e62940, last_time_stamp=1634251808068156)
at /home/stack/VPP_1801/vpp/build-data/../src/vlib/main.c:988
#6 0x00007ffff78e728a in dispatch_pending_node (vm=0x7ffff7b89480 <vlib_global_main>,
pending_frame_index=12, last_time_stamp=1634251808068156)
at /home/stack/VPP_1801/vpp/build-data/../src/vlib/main.c:1138
#7 0x00007ffff78e9466 in vlib_main_or_worker_loop (vm=0x7ffff7b89480 <vlib_global_main>,
is_main=1) at /home/stack/VPP_1801/vpp/build-data/../src/vlib/main.c:1609
#8 0x00007ffff78e9514 in vlib_main_loop (vm=0x7ffff7b89480 <vlib_global_main>)
at /home/stack/VPP_1801/vpp/build-data/../src/vlib/main.c:1628
#9 0x00007ffff78e9d8a in vlib_main (vm=0x7ffff7b89480 <vlib_global_main>, input=0x7fffb6a72fb0)
at /home/stack/VPP_1801/vpp/build-data/../src/vlib/main.c:1783
#10 0x00007ffff7950d3e in thread0 (arg=140737349457024)
at /home/stack/VPP_1801/vpp/build-data/../src/vlib/unix/main.c:567
#11 0x00007ffff6829dd4 in clib_calljmp ()
at /home/stack/VPP_1801/vpp/build-data/../src/vppinfra/longjmp.S:110
#12 0x00007fffffffd270 in ?? ()
#13 0x00007ffff795119f in vlib_unix_main (argc=4, argv=0x7fffffffe4c8)
at /home/stack/VPP_1801/vpp/build-data/../src/vlib/unix/main.c:631
#14 0x000000000040671c in main (argc=4, argv=0x7fffffffe4c8)
at /home/stack/VPP_1801/vpp/build-data/../src/vpp/vnet/main.c:207
It seems the crash happens when VPP processes a ICMPv6 Neighbor Solicitation Message in which the source link layer address option not present.
(gdb) up
#1 0x00007ffff70889d6 in gid_address_copy (dst=0x7fffb6a729a8, src=0x7fffb6a72b40)
at /home/stack/VPP_1801/vpp/build-data/../src/vnet/lisp-cp/lisp_types.c:1498
1498 (*copy_fcts[type]) ((*cast_fcts[type]) (dst), (*cast_fcts[type]) (src));
(gdb) up
#2 0x00007ffff70ab15a in queue_map_request (seid=0x7fffb6a72b40, deid=0x7fffb6a72b90,
smr_invoked=0 '\000', is_resend=0 '\000')
at /home/stack/VPP_1801/vpp/build-data/../src/vnet/lisp-cp/control.c:4558
4558 gid_address_copy (&a.seid, seid);
(gdb) up
#3 0x00007ffff70a6282 in lisp_cp_lookup_inline (vm=0x7ffff7b89480 <vlib_global_main>,
node=0x7fffb6e02400, from_frame=0x7fffb6e62940, overlay=16389)
at /home/stack/VPP_1801/vpp/build-data/../src/vnet/lisp-cp/control.c:3529
3529 queue_map_request (&src, &dst, 0 /* smr_invoked */ ,
(gdb) p b0
$3 = (vlib_buffer_t *) 0x7fff00b83000
(gdb) p *b0
$4 = {cacheline0 = 0x7fff00b83000 "", template_start = 0x7fff00b83000 "", current_data = 0,
current_length = 78, flags = 393472, template_end = 0x7fff00b83008 "", next_buffer = 0,
error = 1556480, current_config_index = 0, feature_arc_index = 0 '\000',
n_add_refs = 0 '\000', buffer_pool_index = 0 '\000', dont_waste_me = "", opaque = {6, 4,
917504, 0, 16389, 3, 5832148, 0, 0, 0}, cacheline1 = 0x7fff00b83040 "", trace_index = 0,
recycle_count = 1, total_length_not_including_first_buffer = 0, align_pad = 0, opaque2 = {
0 <repeats 12 times>}, cacheline2 = 0x7fff00b83080 "",
pre_data = '\000' <repeats 127 times>,
data = 0x7fff00b83100 "33\377m/\002\372\026>m/\002\206\335`"}
(gdb) x /32bx b0->data
0x7fff00b83100: 0x33 0x33 0xff 0x6d 0x2f 0x02 0xfa 0x16
0x7fff00b83108: 0x3e 0x6d 0x2f 0x02 0x86 0xdd 0x60 0x00
0x7fff00b83110: 0x00 0x00 0x00 0x18 0x3a 0xff 0x00 0x00
0x7fff00b83118: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
(gdb) x /78bx b0->data
0x7fff00b83100: 0x33 0x33 0xff 0x6d 0x2f 0x02 0xfa 0x16
0x7fff00b83108: 0x3e 0x6d 0x2f 0x02 0x86 0xdd 0x60 0x00
0x7fff00b83110: 0x00 0x00 0x00 0x18 0x3a 0xff 0x00 0x00
0x7fff00b83118: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff00b83120: 0x00 0x00 0x00 0x00 0x00 0x00 0xff 0x02
0x7fff00b83128: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x7fff00b83130: 0x00 0x01 0xff 0x6d 0x2f 0x02 0x87 0x00
0x7fff00b83138: 0xe8 0x31 0x00 0x00 0x00 0x00 0xfe 0x80
0x7fff00b83140: 0x00 0x00 0x00 0x00 0x00 0x00 0xf8 0x16
0x7fff00b83148: 0x3e 0xff 0xfe 0x6d 0x2f 0x02
- When the function get_src_and_dst_eids_from_buffer() is called from lisp_cp_lookup_inline() with the previous buffer, it goes there :
if ((opt->header.type !=
ICMP6_NEIGHBOR_DISCOVERY_OPTION_source_link_layer_address)
|| (opt->header.n_data_u64s != 1))
return; /* source link layer address option not present */
__
because the source link layer address option is absent from the message. Thus dst and src remain undefined.
- Later, in lisp_cp_lookup_inline(), the function queue_map_request() is called with the undefined addresses and it crashes in gid_address_copy().
You can reproduce the bug with the attached python script.
