Bug 154014 - tc segfaults when parsing some erronous parameters
tc segfaults when parsing some erronous parameters
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: iproute (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
Brock Organ
: Regression
: 200651 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2005-04-06 11:51 EDT by Christophe GRENIER
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version: RHBA-2007-0184
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-01 13:19:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
structures.patch (9.73 KB, patch)
2006-07-31 09:19 EDT, Radek Vokal
no flags Details | Diff

  None (edit)
Description Christophe GRENIER 2005-04-06 11:51:34 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
tc segfaults when parsing some erronous parameters

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. tc qdisc add dev eth0 handle ffff: police rate 1kbit

Actual Results:  gdb tc
(gdb) set args qdisc add dev eth0 handle ffff: police rate 1kbit
(gdb) r
Starting program: /sbin/tc qdisc add dev eth0 handle ffff: police rate 1kbit

Program received signal SIGSEGV, Segmentation fault.
0x00006563 in ?? ()
(gdb) bt full
#0  0x00006563 in ?? ()
No symbol table info available.
#1  0x0804b65f in tc_qdisc_modify (cmd=0, flags=1536, argc=2, argv=0xbfff7094) at tc_qdisc.c:130
        handle = 4294901760
        rth = {fd = 0, local = {nl_family = 27708, nl_pad = 49151, nl_pid = 5922819, nl_groups = 164458504}, peer = {
    nl_family = 53236, nl_pad = 102, nl_pid = 6744064, nl_groups = 164458504}, seq = 3221187672, dump = 5933818}
        q = (struct qdisc_util *) 0x8063220
        est = {interval = 0 '\0', ewma_log = 0 '\0'}
        d = "eth0", '\0' <repeats 11 times>
        k = "police\000\000\000\000\000\000\000\000\000"
        req = {n = {nlmsg_len = 47, nlmsg_type = 36, nlmsg_flags = 1537, nlmsg_seq = 0, nlmsg_pid = 0}, t = {
    tcm_family = 0 '\0', tcm__pad1 = 0 '\0', tcm__pad2 = 0, tcm_ifindex = 0, tcm_handle = 4294901760, tcm_parent = 0,
    tcm_info = 0}, buf = "\v\000\001\000police", '\0' <repeats 65525 times>}
#2  0x0804c0d1 in do_qdisc (argc=8, argv=0xbfff707c) at tc_qdisc.c:359
No locals.
#3  0x0804b0bd in main (argc=10, argv=0xbfff7074) at tc.c:288
        batch = (FILE *) 0xbfff7074
        largc = -1073778572

Expected Results:  There must be an error message about the missing parameters

Additional info:
Comment 1 Radek Vokal 2005-04-07 06:37:06 EDT
I've just managed to close those 15 empty bugs you've submited to me....

Which kernel are you currently using? I've never played with queueing policy, so
I'm not sure how can I reproduce it. When calling your step I get an error message

Unknown qdisc "police", hence option "rate" is unparsable 

Which seems like a correct error message to me. Or do I need to specify "police"
somehow before doing this step?
Comment 2 Christophe GRENIER 2005-04-07 07:10:36 EDT
Sorry for the empty bug reports but bugzilla send an error 500. I had to remove
some stuff from gdb output to get the message accepted.

It seems you got the correct error message
I have been able to reproduce the bug on 3 servers
- kernel-2.6.10-1.770_FC3 glibc-2.3.4-2.fc3
- kernel-2.6.10-1.770_FC3 glibc-2.3.4-10
- kernel-2.6.9-1.724_FC3 glibc-2.3.4-2.fc3
There is no prior configuration to setup, you don't even need to have a valid
interface or to be root.
sh-3.00$ /sbin/tc qdisc add dev fakedev handle ffff: police rate 1kbit
Segmentation fault

Old version iproute-2.4.7-7.90.1 (RH9) and iproute-2.4.7-14 (FC2) are not affected
/sbin/tc qdisc add dev fakedev handle ffff: police rate 1kbit
Unknown qdisc "police", hence option "rate" is unparsable
Comment 3 Radek Vokal 2005-04-07 07:22:15 EDT
Ok, I've managed to reproduce this bug on a RHEL4 system. My machine doesn't
seem to be affected and also new version of iproute doesn't have this issue. Can
you also please try the latest iproute from devel branch? (iproute-2.6.11-2)
Comment 4 Christophe GRENIER 2005-04-07 08:28:01 EDT
Only version 2.6.11-1 is avaible at
I have rebuild it under FC3, version 2.6.11-1 is not affected by this bug
Comment 5 Radek Vokal 2005-04-11 02:57:15 EDT
I'm moving this bugzilla to RHEL4. 
Comment 7 Rik van Riel 2006-07-29 20:14:49 EDT
The patch iproute2-2.6.9-tc.patch that is in the U4 beta breaks tc when using it
for traffic shaping with the popular wshaper script. This will need to be fixed
before U4 can ship.
Comment 8 Rik van Riel 2006-07-29 20:15:28 EDT
*** Bug 200651 has been marked as a duplicate of this bug. ***
Comment 14 Radek Vokal 2006-07-31 09:19:55 EDT
Created attachment 133318 [details]

Proposed patch for this issue.
Comment 15 Radek Vokal 2006-07-31 09:30:58 EDT
Comment on attachment 133318 [details]

>-	table = calloc(sizeof(double), TABLESIZE);
>+	table = calloc(TABLESIZE+1, sizeof(double));

Small change in previous attachment
Comment 21 Red Hat Bugzilla 2007-05-01 13:19:17 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.