[quagga-dev 6469] Re: Valgrind hits (and subsequent segfaults) in ospf6d

Steinar H. Gunderson sgunderson at bigfoot.com
Mon Mar 16 23:56:00 GMT 2009

On Mon, Mar 16, 2009 at 08:34:57PM +0100, Steinar H. Gunderson wrote:
>> This does not match up to similar code in linklist.c:
> It seems ospf6 doesn't store a list head (the routing table comes from some
> sort of tree, I don't really know how the linked list comes in), so the code
> isn't relevant AFAICS.

OK, I've looked a bit further, but unfortunately the other end died for the
day, and it's not on a system I have control over (and I need it to provoke
the error), so it'll have to be for today.

One of the basic problems seems to be that ospf6_route_remove() adjusts
route->next->prev and route->prev->next -- but it does _not_ adjust
route->next and route->prev, leaving the doubly-linked list of ospf6_route
objects in an inconsistent state. The code around it appears to be designed to live with this
inconsistency until the object is unlocked and hits refcount zero, but for
some reason something(TM) finds the (supposedly removed) route, follows
route->next (which may or may not still point to a valid route object) and
then you have a recipe for chaos.

Unfortunately, there are not many asserts here that will hold -- for
instance, I tried verifying that route->next->prev == route, but that doesn't
hold for an object that's removed. And you cannot set route->next or
route->prev to invalid pointers on remove, since a lot of code assumes you
can use route->next on a newly-removed pointer. Etc... :-)

/* Steinar */
Homepage: http://www.sesse.net/

More information about the Quagga-dev mailing list