Bug 154014

Summary: tc segfaults when parsing some erronous parameters
Product: Red Hat Enterprise Linux 4 Reporter: Christophe GRENIER <grenier>
Component: iprouteAssignee: Radek Vokál <rvokal>
Status: CLOSED ERRATA QA Contact: Brock Organ <borgan>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: herrold, jneedle, laroche, riel
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0184 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-05-01 17:19:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
structures.patch none

Description Christophe GRENIER 2005-04-06 15:51:34 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
tc segfaults when parsing some erronous parameters

Version-Release number of selected component (if applicable):
iproute-2.6.9-3

How reproducible:
Always

Steps to Reproduce:
1. tc qdisc add dev eth0 handle ffff: police rate 1kbit
2.
3.
  

Actual Results:  gdb tc
(gdb) set args qdisc add dev eth0 handle ffff: police rate 1kbit
(gdb) r
Starting program: /sbin/tc qdisc add dev eth0 handle ffff: police rate 1kbit

Program received signal SIGSEGV, Segmentation fault.
0x00006563 in ?? ()
(gdb) bt full
#0  0x00006563 in ?? ()
No symbol table info available.
#1  0x0804b65f in tc_qdisc_modify (cmd=0, flags=1536, argc=2, argv=0xbfff7094) at tc_qdisc.c:130
        handle = 4294901760
        rth = {fd = 0, local = {nl_family = 27708, nl_pad = 49151, nl_pid = 5922819, nl_groups = 164458504}, peer = {
    nl_family = 53236, nl_pad = 102, nl_pid = 6744064, nl_groups = 164458504}, seq = 3221187672, dump = 5933818}
        q = (struct qdisc_util *) 0x8063220
        est = {interval = 0 '\0', ewma_log = 0 '\0'}
        d = "eth0", '\0' <repeats 11 times>
        k = "police\000\000\000\000\000\000\000\000\000"
        req = {n = {nlmsg_len = 47, nlmsg_type = 36, nlmsg_flags = 1537, nlmsg_seq = 0, nlmsg_pid = 0}, t = {
    tcm_family = 0 '\0', tcm__pad1 = 0 '\0', tcm__pad2 = 0, tcm_ifindex = 0, tcm_handle = 4294901760, tcm_parent = 0,
    tcm_info = 0}, buf = "\v\000\001\000police", '\0' <repeats 65525 times>}
#2  0x0804c0d1 in do_qdisc (argc=8, argv=0xbfff707c) at tc_qdisc.c:359
No locals.
#3  0x0804b0bd in main (argc=10, argv=0xbfff7074) at tc.c:288
        batch = (FILE *) 0xbfff7074
...
        largc = -1073778572
(gdb)

Expected Results:  There must be an error message about the missing parameters

Additional info:
Comment 1 Radek Vokál 2005-04-07 10:37:06 UTC 
I've just managed to close those 15 empty bugs you've submited to me....

Which kernel are you currently using? I've never played with queueing policy, so
I'm not sure how can I reproduce it. When calling your step I get an error message

Unknown qdisc "police", hence option "rate" is unparsable 

Which seems like a correct error message to me. Or do I need to specify "police"
somehow before doing this step?
Comment 2 Christophe GRENIER 2005-04-07 11:10:36 UTC 
Sorry for the empty bug reports but bugzilla send an error 500. I had to remove
some stuff from gdb output to get the message accepted.


It seems you got the correct error message
I have been able to reproduce the bug on 3 servers
- kernel-2.6.10-1.770_FC3 glibc-2.3.4-2.fc3
- kernel-2.6.10-1.770_FC3 glibc-2.3.4-10
- kernel-2.6.9-1.724_FC3 glibc-2.3.4-2.fc3
There is no prior configuration to setup, you don't even need to have a valid
interface or to be root.
sh-3.00$ /sbin/tc qdisc add dev fakedev handle ffff: police rate 1kbit
Segmentation fault

Old version iproute-2.4.7-7.90.1 (RH9) and iproute-2.4.7-14 (FC2) are not affected
/sbin/tc qdisc add dev fakedev handle ffff: police rate 1kbit
Unknown qdisc "police", hence option "rate" is unparsable
Comment 3 Radek Vokál 2005-04-07 11:22:15 UTC 
Ok, I've managed to reproduce this bug on a RHEL4 system. My machine doesn't
seem to be affected and also new version of iproute doesn't have this issue. Can
you also please try the latest iproute from devel branch? (iproute-2.6.11-2)
Comment 4 Christophe GRENIER 2005-04-07 12:28:01 UTC 
Only version 2.6.11-1 is avaible at
http://download.fedora.redhat.com/pub/fedora/linux/core/development/SRPMS
I have rebuild it under FC3, version 2.6.11-1 is not affected by this bug
Comment 5 Radek Vokál 2005-04-11 06:57:15 UTC 
I'm moving this bugzilla to RHEL4.
Comment 7 Rik van Riel 2006-07-30 00:14:49 UTC 
The patch iproute2-2.6.9-tc.patch that is in the U4 beta breaks tc when using it
for traffic shaping with the popular wshaper script. This will need to be fixed
before U4 can ship.
Comment 8 Rik van Riel 2006-07-30 00:15:28 UTC 
*** Bug 200651 has been marked as a duplicate of this bug. ***
Comment 14 Radek Vokál 2006-07-31 13:19:55 UTC 
Created attachment 133318 [details]
structures.patch

Proposed patch for this issue.
Comment 15 Radek Vokál 2006-07-31 13:30:58 UTC 
Comment on attachment 133318 [details]
structures.patch

>-	table = calloc(sizeof(double), TABLESIZE);
>+	table = calloc(TABLESIZE+1, sizeof(double));

Small change in previous attachment
Comment 21 Red Hat Bugzilla 2007-05-01 17:19:17 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0184.html