[quagga-users 10283] Bgpd crash on long asn32 in aspath (dos possible?)

Attilla De Groot attilla at nlnetlabs.nl
Tue Jan 13 19:14:34 GMT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

I tried to send the following e-mail to the maintainers, but that mail  
got bounced. So I'm sending it here to notify other users and maybe  
reach a maintainer.

Attilla
_____________________________________________

Dear Maintainers,

At the moment I'm working on a project with the Locator ID seperation  
protocol and I was planning to use Quagga (0.99.11) to connect with  
the LISP4 LISP-ALT network (which is just bgp over gre overlay).

However when connecting to the network the bgpd crashes. I think this  
is because of the long asn32 numbers that are used in the LISP4  
network (32768.*). The daemon generates the following error:

[root at phobos ~/quagga-0.99.11/lib]# bgpd
2009/01/13 10:27:27 BGP: BGPd 0.99.11 starting: vty at 2605, bgp@<all>:179
2009/01/13 10:33:30 BGP: 240.0.254.204 unrecognized capability code:  
67 - ignored
2009/01/13 10:33:31 BGP: Assertion `len < str_size' failed in file  
bgp_aspath.c, line 619, function aspath_make_str_count
2009/01/13 10:33:31 BGP: No backtrace available on this platform.
Abort trap: 6

My configuration:

[root at phobos ~/quagga-0.99.11/lib]# cat /usr/local/etc/quagga/bgpd.conf
!
! Zebra configuration saved from vty
!   2009/01/12 09:13:01
!
hostname phobos
password ****
enable password ****
log stdout
!
router bgp 2147483677
bgp router-id 153.16.36.254
network 153.16.36.0/24
neighbor 10.235.235.2 remote-as 65000
neighbor 240.0.254.204 remote-as 2147483671
!
line vty
!

I'm not a software engineer, but a daemon that crashes on a message  
instead of giving an error doesn't seem very good. I'm mailing this on  
the maintainers list because since 1-1-2009 the RIR's are only  
providing asn32 numbers and only in special cases still asn16 numbers.  
As far as I can determine the crash is caused by the fact that asn's  
 >= 100000 are not supported in aspaths according to the comment in  
bgp_aspath.c (line 578 - 586). RIPE is already handing out asn's >  
100000 so this can lead to a dos where Quagga is used in production  
environments.

I have tried to adjust #define ASN_STR_LEN (5 + 1) to #define  
ASN_STR_LEN (9 + 1). This did solve the crash, but other tools gave  
strange results with negative as numbers. I think that this is just  
some minor issue in printing the data. Because routes are still  
exchanged over bgp.

phobos# show ip bgp summary
BGP router identifier 153.16.36.254, local AS number -2147483619
RIB entries 3, using 192 bytes of memory
Peers 2, using 5040 bytes of memory

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down   
State/PfxRcd
10.235.235.2    4 65000     104     107        0    0    0  
00:34:24        1
240.0.254.204   4 -2147483625     120     107        0    0    0  
01:39:36        0

phobos# sh bgp neighbors 240.0.254.204
BGP neighbor is 240.0.254.204, remote AS -2147483625, local AS -  
- -2147483619, external link


I hope this bug report helps you. My suggestion would be to fix the  
asn32 support for numbers > 100000 asap. :-)


Best Regards,
Attilla de Groot
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkls6BoACgkQWQLlhsiqASFl0ACfbn0X+QNi4sbe9eiac8EgaP5H
0g0AoKBpe8tviMPPm8HfOrEYJYh6EVlE
=KQF4
-----END PGP SIGNATURE-----

More information about the Quagga-users mailing list