187106 – snmptrapd segvs with long trap

Bug 187106 - snmptrapd segvs with long trap

Summary: snmptrapd segvs with long trap

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	net-snmp
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Radek Vokál
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	181411
TreeView+	depends on / blocked

Reported:	2006-03-28 15:44 UTC by Bastien Nocera
Modified:	2007-11-30 22:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	RHBA-2006-0421
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-08-10 21:32:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
net-snmp-5.1.2-snmp_vlog_varargs_retraversal.patch (853 bytes, patch) 2006-03-28 15:46 UTC, Bastien Nocera	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2006:0421	0	normal	SHIPPED_LIVE	net-snmp bug fix update	2006-08-09 04:00:00 UTC

Description Bastien Nocera 2006-03-28 15:44:43 UTC

net-snmp-5.1.2-11.EL4.6

1. launch snmptrapd
/etc/init.d/snmptrapd restart
2. launch a long trap command (that's one line):

snmptrap -v 2c -c testim localhost 0 enterprises.19517.2.2.4
enterprises.19517.2.1.6.1.1.0.2 s
'alarm.service.foooooooooo.request.system.error' enterprises.19517.2.1.6.1.1.0.3
o enterprises.19517.2.1.5.1.0 enterprises.19517.2.1.6.1.1.0.5 i 4
enterprises.19517.2.1.6.1.1.0.6 s 'Thread=Thread[http-8080-Processor24,5,main] |
target=com.test.ccc.foooooooooo.CSPFooooooooooHandler | method=public abstract
com.test.ccc.api.Response
com.test.ccc.api.foooooooooo.ICSPFooooooooooHandler.logout
(com.test.ccc.api.foooooooooo.ISession,com.test.ccc.protocol12.tr
c.LogoutRequest) | request=com.test.ccc.protocol12.trc.LogoutRequest@8c3721 | '
enterprises.19517.2.1.6.1.1.0.7 s
"com.test.support.persistence.PersistenceException: Failed during execution of
committed command 'SessionService.delete expireSession'. Will rollback last
transaction (no more committed commands will be executed."
enterprises.19517.2.1.6.1.1.0.8 s "Request caused system error: Failed during
execution of committed command 'SessionService.delete expireSession'. Will
rollback last transaction (no more committed commands will be executed."
enterprises.19517.2.1.6.1.1.0.9 s 'null'

snmptrapd will segv:
#0  0x0000002a97257f40 in strlen () from /lib64/tls/libc.so.6
#1  0x0000002a9722aa1c in vfprintf () from /lib64/tls/libc.so.6
#2  0x0000002a97249f54 in vsnprintf () from /lib64/tls/libc.so.6
#3  0x0000002a95c0d837 in snmp_vlog () from /usr/lib64/libnetsnmp.so.5
#4  0x0000002a95c0d918 in snmp_log () from /usr/lib64/libnetsnmp.so.5
#5  0x0000002a956701dd in print_handler () from /usr/lib64/libnetsnmptrapd.so.5
#6  0x0000002a9567141c in snmp_input () from /usr/lib64/libnetsnmptrapd.so.5
#7  0x0000002a95bf9f49 in snmpv3_make_report () from /usr/lib64/libnetsnmp.so.5
#8  0x0000002a95bfb0a1 in _sess_read () from /usr/lib64/libnetsnmp.so.5
#9  0x0000002a95bfb8a9 in snmp_sess_read () from /usr/lib64/libnetsnmp.so.5
#10 0x0000002a95bfb8f0 in snmp_read () from /usr/lib64/libnetsnmp.so.5
#11 0x000000552aaae0a2 in main () from /usr/sbin/snmptrapd

#0  0x0000002a97257f40 in strlen () from /lib64/tls/libc.so.6
       mallenv = "MALLOC_TRACE"
       malloc_trace_buffer = 0x0
       tr_old_malloc_hook = (void *(*)(size_t, const void *)) 0
       tr_old_memalign_hook = (void *(*)(size_t, size_t, const void *)) 0
       mallstream = (FILE *) 0x0
       tr_old_realloc_hook = (void *(*)(void *, size_t, const void *)) 0
       lock = 0
       tr_old_free_hook = (void (*)(void *, const void *)) 0
       mallwatch = (void *) 0x0
#1  0x0000002a9722aa1c in _IO_vfprintf (s=0x7fbfffe780, format=Variable "format"
is not available.
) at vfprintf.c:1535
       tmp = (const unsigned char *) 0xa <Address 0xa out of bounds>
       thousands_sep = 0x0
       grouping = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>
       done = 0
       f = (const unsigned char *) 0x2a95675536 "s%s"
       lead_str_end = (const unsigned char *) 0x2a95675535 "%s%s"
       end_of_spec = Variable "end_of_spec" is not available.

This happens because of the reuse of vaargs when the command is > 1024 (LOGLENGTH).
Patch from Imed Chihi <ichihi>

Comment 1 Bastien Nocera 2006-03-28 15:46:50 UTC

Created attachment 126912 [details]
net-snmp-5.1.2-snmp_vlog_varargs_retraversal.patch

Comment 2 Radek Vokál 2006-03-30 09:41:37 UTC

Thanks for the patch

Comment 26 Red Hat Bugzilla 2006-08-10 21:32:45 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0421.html

Note You need to log in before you can comment on or make changes to this bug.