Description of problem: ip -6 route show dev eth1 via :: segfaults. Version-Release number of selected component (if applicable): 2.6.11-1 (FC4), 2.6.14-3 (FC devel) How reproducible: always Steps to Reproduce: 1. run above line 2. 3. Actual results: fe80::/64 metric 256 mtu 1500 advmss 1440 metric 10 4294967295 ff00::/8 metric 256 mtu 1500 advmss 1440 metric 10 4294967295 Segmentation fault Expected results: no segfault Additional info: choose any dev (eth0, eth1, whatever) as long as it exists.
Created attachment 119058 [details] ltrace.txt
also, if you drop the 'via ::' part it won't segfault.
Hmm, none of my test systems segfaults. It seems to work fine. Which architecture and kernel are you testing this on? I will look closer at your trace .. Here are my results FC4 [root@vepro ~]# rpm -q iproute iproute-2.6.11-1 [root@vepro ~]# ip -6 route show dev eth0 via :: fe80::/64 metric 256 mtu 1500 advmss 1440 metric 10 4294967295 ff00::/8 metric 256 mtu 1500 advmss 1440 metric 10 4294967295 FC5 rvokal@garfield devel$ ip -6 route show dev eth1 via :: fe80::/64 metric 256 mtu 1500 advmss 1440 metric 10 4294967295 ff00::/8 metric 256 mtu 1500 advmss 1440 metric 10 4294967295 rvokal@garfield devel$ rpm -q iproute iproute-2.6.14-3
arch i386, kernel 2.6.12-1.1447_FC4 UP and smp variant. If built with CFLAGS+= -g it's not segfaulting on me. :-(
Doh, thanks for pointing me to this. The package was not built with RPM_OPT_FLAGS so some arch specific options weren't in use. I will rebuilt the package and hopefully this will shed some more light to this issue. iproute-2.6.14-4
Have you tried updating to the latest iproute package built with OPT_FLAGS?
I rebuilt iproute-2.6.14-4 using mock on FC4 and installed it. Still fails, but gives some indication now of why. $ gdb ip GNU gdb Red Hat Linux (6.3.0.0-1.21rh) Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/libthread_db.so.1". (gdb) ip -6 route show dev eth1 via :: Undefined command: "ip". Try "help". (gdb) set args -6 route show dev eth1 via :: (gdb) run Starting program: /sbin/ip -6 route show dev eth1 via :: Reading symbols from shared object read from target memory...done. Loaded system supplied DSO at 0xffffe000 2001:470:1f01:1867::/80 metric 256 mtu 1500 advmss 1440 metric 10 4294967295 *** buffer overflow detected ***: /sbin/ip terminated ======= Backtrace: ========= /lib/libc.so.6(__chk_fail+0x41)[0x945c45] /sbin/ip[0x804f877] /sbin/ip[0x806114c] /sbin/ip[0x804e707] /sbin/ip[0x8049579] /sbin/ip[0x8049a90] /lib/libc.so.6(__libc_start_main+0xdf)[0x87cd5f] /sbin/ip[0x8049431] ======= Memory map: ======== 0084a000-00864000 r-xp 00000000 fd:00 13828114 /lib/ld-2.3.5.so 00864000-00865000 r--p 00019000 fd:00 13828114 /lib/ld-2.3.5.so 00865000-00866000 rw-p 0001a000 fd:00 13828114 /lib/ld-2.3.5.so 00868000-0098b000 r-xp 00000000 fd:00 13828127 /lib/libc-2.3.5.so 0098b000-0098d000 r--p 00123000 fd:00 13828127 /lib/libc-2.3.5.so 0098d000-0098f000 rw-p 00125000 fd:00 13828127 /lib/libc-2.3.5.so 0098f000-00991000 rw-p 0098f000 00:00 0 009fc000-00a0b000 r-xp 00000000 fd:00 13828162 /lib/libresolv-2.3.5.so 00a0b000-00a0c000 r--p 0000e000 fd:00 13828162 /lib/libresolv-2.3.5.so 00a0c000-00a0d000 rw-p 0000f000 fd:00 13828162 /lib/libresolv-2.3.5.so 00a0d000-00a0f000 rw-p 00a0d000 00:00 0 00b68000-00b71000 r-xp 00000000 fd:00 13828190 /lib/libgcc_s-4.0.1-20050727.so.1 00b71000-00b72000 rw-p 00009000 fd:00 13828190 /lib/libgcc_s-4.0.1-20050727.so.1 08048000-0806b000 r-xp 00000000 fd:00 5996663 /sbin/ip 0806b000-0806e000 rw-p 00022000 fd:00 5996663 /sbin/ip 0806e000-0808f000 rw-p 0806e000 00:00 0 [heap] b7f61000-b7f63000 rw-p b7f61000 00:00 0 b7f6a000-b7f6b000 rw-p b7f6a000 00:00 0 bfa55000-bfa6b000 rw-p bfa55000 00:00 0 [stack] ffffe000-fffff000 ---p 00000000 00:00 0 [vdso] Program received signal SIGABRT, Aborted. 0xffffe410 in __kernel_vsyscall () (gdb) bt #0 0xffffe410 in __kernel_vsyscall () #1 0x00890118 in raise () from /lib/libc.so.6 #2 0x00891888 in abort () from /lib/libc.so.6 #3 0x008c522a in __libc_message () from /lib/libc.so.6 #4 0x00945c45 in __chk_fail () from /lib/libc.so.6 #5 0x0804f877 in print_route (who=0xbfa67028, n=0xbfa636ac, arg=0x98d5e0) at iproute.c:219 #6 0x0806114c in rtnl_dump_filter (rth=0x806dc40, filter=0x804f51a <print_route>, arg1=0x98d5e0, junk=0, arg2=0x0) at libnetlink.c:207 #7 0x0804e707 in iproute_list_or_flush (argc=Variable "argc" is not available. ) at iproute.c:1219 #8 0x08049579 in do_cmd (argv0=0xbfa69b34 "route", argc=6, argv=0xbfa6816c) at ip.c:84 #9 0x08049a90 in main (argc=7, argv=0xbfa68168) at ip.c:225 #10 0x0087cd5f in __libc_start_main () from /lib/libc.so.6 #11 0x08049431 in _start ()
if (filter.rvia.bitlen>0) { memset(&via, 0, sizeof(via)); via.family = r->rtm_family; if (tb[RTA_GATEWAY]) memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len); } that memcpy goes too big because of typedef struct { __u8 family; __u8 bytelen; __s16 bitlen; __u32 flags; __u32 data[4]; } inet_prefix; apparently host_len is too big; could you ask gdb what the value of host_len is?
(gdb) frame 5 #5 0x0804f877 in print_route (who=0xbf8aef68, n=0xbf8ab558, arg=0x98d5e0) at iproute.c:219 219 memcpy(&via.data, RTA_DATA(tb[RTA_GATEWAY]), host_len); (gdb) print host_len $1 = 128
Which comes from: if (r->rtm_family == AF_INET6) host_len = 128;
Created attachment 119698 [details] iproute2-ss050901-host_len.patch host_len should be divided by 8, as it's units is bits, where memcpy is using bytes units.
This patch resolves it for me in testing, no more segfaults, tested on 2 FC4 i386 systems that previously failed, and the patch is obviously correct.
Thanks. Patch applied on rawhide.