Bug 284641

Summary: net-snmp segfault in netsnmp_arch_interface_container_load
Product: Red Hat Enterprise Linux 5 Reporter: Tor Ake Fransson <tor-ake>
Component: net-snmpAssignee: Jan Safranek <jsafrane>
Status: CLOSED DUPLICATE QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 5.0   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-22 08:26:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tor Ake Fransson 2007-09-10 14:43:32 UTC 
Description of problem:
net-snmp coredumps on x86_64

Version-Release number of selected component (if applicable):
5.3.1-14.0.1

How reproducible:
start snmpd on x86_64

Steps to Reproduce:
1. start snmpd with minimal config (snmpd.conf 1 line: rocommunity public)
  
Actual results:
snmpd crashes and the following is in the log:
kernel: snmpd[1633]: segfault at 000000000001a8d0 rip 0000002a96bed560 rsp
0000007fbfffe968 error 4

Expected results:
snmpd running

Additional info:
A post mortem debug shows this stack trace:
#0  0x0000002a96bed560 in strlen () from /lib64/tls/libc.so.6
#1  0x0000002a96bbfa0b in vfprintf () from /lib64/tls/libc.so.6
#2  0x0000002a96bdf434 in vsnprintf () from /lib64/tls/libc.so.6
#3  0x0000002a96bc51e1 in snprintf () from /lib64/tls/libc.so.6
#4  0x0000002a957310a5 in netsnmp_arch_interface_container_load (
    container=0x552abb8870, load_flags=Variable "load_flags" is not available.
) at if-mib/data_access/interface_linux.c:274
#5  0x0000002a957153be in netsnmp_access_interface_container_load (
    container=0x552abb8870, load_flags=0) at if-mib/data_access/interface.c:157
#6  0x0000002a957154ba in netsnmp_access_interface_init ()
    at if-mib/data_access/interface.c:88
#7  0x0000002a95735c99 in init_mib_modules () at mib_modules.c:76
#8  0x000000552aaae6b8 in main (argc=3, argv=0x7fbffff9d8) at snmpd.c:909
(gdb) f 4
#4  0x0000002a957310a5 in netsnmp_arch_interface_container_load (
    container=0x552abb8870, load_flags=Variable "load_flags" is not available.
) at if-mib/data_access/interface_linux.c:274
274         snprintf(line, sizeof(line), proc_sys_basereachable_time, entry->name);
(gdb) print line
$3 = "    lo\000114905340  578581    0    0    0     0          0         0
114905340  578581    0    0    0     0       0         
0\000\000\000\000@\210»*U\000\000\000\210I\207\225*\000\000\000ç0»*U\000\000\000¸0»*U\000\000\000Øùÿ¿\177\000\000\000\003",
'\0' <repeats 15 times>, "\212\006V\225*\000\000\000\001\000\000\000\177", '\0'
<repeats 11 times>...
(gdb) print entry
$4 = (netsnmp_interface_entry *) 0x552abb8c60
(gdb) print entry->name
$5 = 0x552abb8da0 "lo"
(gdb) print proc_sys_basereachable_time
$6 = 0x2a95761d48 "/proc/sys/net/ipv%d/neigh/%s/base_reachable_time_ms"

So the problem seems to be in the patch net-snmp-5.3.1-reachable_ms.patch on
line 59 where the string proc_sys_basereachable_time contains placeholder for
one integer and one string, but only a string is passed as argument to snprintf.
Comment 1 Jan Safranek 2007-10-22 08:26:18 UTC 
This should be already fixed in RHEL 5.1.

*** This bug has been marked as a duplicate of 240609 ***