Bug in route6d?

John Hay jhay at meraka.org.za
Sun Jul 8 07:46:30 UTC 2018 

Hi All,

I have a small ntp server (PC Engines APU), with an ipv6 subnet on lo0 with
route6d to advertise it. A few minutes after almost every reboot, route6d
will crash with a sig 11. If I then restart route6d, it will run until the
next time I reboot. I think it is when re0 finally gets a global ipv6
address.

Currently it is running 11.2, but the problem is not new. It has been there
in 10.x and before.

A sanitised piece of rc.conf looks like this:
<snip>
# Disable to make ipv6 work
ifconfig_re0="-rxcsum -txcsum"
ipv4_addrs_re0="X.Y.8.18/24"
ipv4_addrs_lo0="X.Y.58.41/32"
ifconfig_re0_ipv6="inet6 accept_rtadv"
ifconfig_lo0_alias0="inet6 2001:A:B:C::1/64"
defaultrouter="X.Y.8.1"
route6d_enable="YES"
route6d_flags="-s"
ipv6_gateway_enable="YES"
</snip>

Gdb says:

<snip>
root at tick:/ # gdb /usr/sbin/route6d /route6d.old.core
GNU gdb 6.1.1 [FreeBSD]
...
Core was generated by `/usr/sbin/route6d -s'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /lib/libc.so.7...Reading symbols from
/usr/lib/debug//lib/libc.so.7.debug...done.
done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /libexec/ld-elf.so.1...Reading symbols from
/usr/lib/debug//libexec/ld-elf.so.1.debug...done.
done.
Loaded symbols for /libexec/ld-elf.so.1
#0  ifrt (ifcp=0x800e38000, again=1) at
/usr/src/usr.sbin/route6d/route6d.c:2206
2206                    TAILQ_REMOVE(&riprt_head, rrt, rrt_next);
(gdb)
</snip>

Looking at the code, I think rrt should not be removed, but rather
search_rrt and it should be freed afterwards? Route6d has now survived a
few reboots with the following patch.

<snip>
--- route6d.c.org       2018-06-22 01:03:51.000000000 +0200
+++ route6d.c   2018-07-08 08:23:53.279925000 +0200
@@ -2203,8 +2203,9 @@
                                        goto next;
                                }

-                               TAILQ_REMOVE(&riprt_head, rrt, rrt_next);
-                               delroute(&rrt->rrt_info, &rrt->rrt_gw);
+                               TAILQ_REMOVE(&riprt_head, search_rrt,
rrt_next);
+                               delroute(&search_rrt->rrt_info,
&search_rrt->rrt_gw);
+                               free(search_rrt);
                        }
                        /* Attach the route to the list */
                        trace(1, "route: %s/%d: register route (%s)\n",
</snip>

Regards

John
--
John Hay
-------------- next part --------------
A non-text attachment was scrubbed...
Name: route6d.c.diff
Type: text/x-patch
Size: 477 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20180708/5037f68d/attachment.bin>

More information about the freebsd-net mailing list