Bug 187106 - snmptrapd segvs with long trap
snmptrapd segvs with long trap
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: net-snmp (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
Depends On:
Blocks: 181411
  Show dependency treegraph
Reported: 2006-03-28 10:44 EST by Bastien Nocera
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2006-0421
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-10 17:32:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
net-snmp-5.1.2-snmp_vlog_varargs_retraversal.patch (853 bytes, patch)
2006-03-28 10:46 EST, Bastien Nocera
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2006:0421 normal SHIPPED_LIVE net-snmp bug fix update 2006-08-09 00:00:00 EDT

  None (edit)
Description Bastien Nocera 2006-03-28 10:44:43 EST

1. launch snmptrapd
/etc/init.d/snmptrapd restart
2. launch a long trap command (that's one line):

snmptrap -v 2c -c testim localhost 0 enterprises.19517.2.2.4
enterprises.19517. s
'alarm.service.foooooooooo.request.system.error' enterprises.19517.
o enterprises.19517. enterprises.19517. i 4
enterprises.19517. s 'Thread=Thread[http-8080-Processor24,5,main] |
target=com.test.ccc.foooooooooo.CSPFooooooooooHandler | method=public abstract
c.LogoutRequest) | request=com.test.ccc.protocol12.trc.LogoutRequest@8c3721 | '
enterprises.19517. s
"com.test.support.persistence.PersistenceException: Failed during execution of
committed command 'SessionService.delete expireSession'. Will rollback last
transaction (no more committed commands will be executed."
enterprises.19517. s "Request caused system error: Failed during
execution of committed command 'SessionService.delete expireSession'. Will
rollback last transaction (no more committed commands will be executed."
enterprises.19517. s 'null'

snmptrapd will segv:
#0  0x0000002a97257f40 in strlen () from /lib64/tls/libc.so.6
#1  0x0000002a9722aa1c in vfprintf () from /lib64/tls/libc.so.6
#2  0x0000002a97249f54 in vsnprintf () from /lib64/tls/libc.so.6
#3  0x0000002a95c0d837 in snmp_vlog () from /usr/lib64/libnetsnmp.so.5
#4  0x0000002a95c0d918 in snmp_log () from /usr/lib64/libnetsnmp.so.5
#5  0x0000002a956701dd in print_handler () from /usr/lib64/libnetsnmptrapd.so.5
#6  0x0000002a9567141c in snmp_input () from /usr/lib64/libnetsnmptrapd.so.5
#7  0x0000002a95bf9f49 in snmpv3_make_report () from /usr/lib64/libnetsnmp.so.5
#8  0x0000002a95bfb0a1 in _sess_read () from /usr/lib64/libnetsnmp.so.5
#9  0x0000002a95bfb8a9 in snmp_sess_read () from /usr/lib64/libnetsnmp.so.5
#10 0x0000002a95bfb8f0 in snmp_read () from /usr/lib64/libnetsnmp.so.5
#11 0x000000552aaae0a2 in main () from /usr/sbin/snmptrapd

#0  0x0000002a97257f40 in strlen () from /lib64/tls/libc.so.6
       mallenv = "MALLOC_TRACE"
       malloc_trace_buffer = 0x0
       tr_old_malloc_hook = (void *(*)(size_t, const void *)) 0
       tr_old_memalign_hook = (void *(*)(size_t, size_t, const void *)) 0
       mallstream = (FILE *) 0x0
       tr_old_realloc_hook = (void *(*)(void *, size_t, const void *)) 0
       lock = 0
       tr_old_free_hook = (void (*)(void *, const void *)) 0
       mallwatch = (void *) 0x0
#1  0x0000002a9722aa1c in _IO_vfprintf (s=0x7fbfffe780, format=Variable "format"
is not available.
) at vfprintf.c:1535
       tmp = (const unsigned char *) 0xa <Address 0xa out of bounds>
       thousands_sep = 0x0
       grouping = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>
       done = 0
       f = (const unsigned char *) 0x2a95675536 "s%s"
       lead_str_end = (const unsigned char *) 0x2a95675535 "%s%s"
       end_of_spec = Variable "end_of_spec" is not available.

This happens because of the reuse of vaargs when the command is > 1024 (LOGLENGTH).
Patch from Imed Chihi <ichihi@redhat.com>
Comment 1 Bastien Nocera 2006-03-28 10:46:50 EST
Created attachment 126912 [details]
Comment 2 Radek Vokal 2006-03-30 04:41:37 EST
Thanks for the patch
Comment 26 Red Hat Bugzilla 2006-08-10 17:32:45 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.