Bug 187106 - snmptrapd segvs with long trap
snmptrapd segvs with long trap
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: net-snmp (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Radek Vokal
:
Depends On:
Blocks: 181411
  Show dependency treegraph
 
Reported: 2006-03-28 10:44 EST by Bastien Nocera
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2006-0421
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-10 17:32:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
net-snmp-5.1.2-snmp_vlog_varargs_retraversal.patch (853 bytes, patch)
2006-03-28 10:46 EST, Bastien Nocera
no flags Details | Diff

  None (edit)
Description Bastien Nocera 2006-03-28 10:44:43 EST
net-snmp-5.1.2-11.EL4.6

1. launch snmptrapd
/etc/init.d/snmptrapd restart
2. launch a long trap command (that's one line):

snmptrap -v 2c -c testim localhost 0 enterprises.19517.2.2.4
enterprises.19517.2.1.6.1.1.0.2 s
'alarm.service.foooooooooo.request.system.error' enterprises.19517.2.1.6.1.1.0.3
o enterprises.19517.2.1.5.1.0 enterprises.19517.2.1.6.1.1.0.5 i 4
enterprises.19517.2.1.6.1.1.0.6 s 'Thread=Thread[http-8080-Processor24,5,main] |
target=com.test.ccc.foooooooooo.CSPFooooooooooHandler | method=public abstract
com.test.ccc.api.Response
com.test.ccc.api.foooooooooo.ICSPFooooooooooHandler.logout
(com.test.ccc.api.foooooooooo.ISession,com.test.ccc.protocol12.tr
c.LogoutRequest) | request=com.test.ccc.protocol12.trc.LogoutRequest@8c3721 | '
enterprises.19517.2.1.6.1.1.0.7 s
"com.test.support.persistence.PersistenceException: Failed during execution of
committed command 'SessionService.delete expireSession'. Will rollback last
transaction (no more committed commands will be executed."
enterprises.19517.2.1.6.1.1.0.8 s "Request caused system error: Failed during
execution of committed command 'SessionService.delete expireSession'. Will
rollback last transaction (no more committed commands will be executed."
enterprises.19517.2.1.6.1.1.0.9 s 'null'

snmptrapd will segv:
#0  0x0000002a97257f40 in strlen () from /lib64/tls/libc.so.6
#1  0x0000002a9722aa1c in vfprintf () from /lib64/tls/libc.so.6
#2  0x0000002a97249f54 in vsnprintf () from /lib64/tls/libc.so.6
#3  0x0000002a95c0d837 in snmp_vlog () from /usr/lib64/libnetsnmp.so.5
#4  0x0000002a95c0d918 in snmp_log () from /usr/lib64/libnetsnmp.so.5
#5  0x0000002a956701dd in print_handler () from /usr/lib64/libnetsnmptrapd.so.5
#6  0x0000002a9567141c in snmp_input () from /usr/lib64/libnetsnmptrapd.so.5
#7  0x0000002a95bf9f49 in snmpv3_make_report () from /usr/lib64/libnetsnmp.so.5
#8  0x0000002a95bfb0a1 in _sess_read () from /usr/lib64/libnetsnmp.so.5
#9  0x0000002a95bfb8a9 in snmp_sess_read () from /usr/lib64/libnetsnmp.so.5
#10 0x0000002a95bfb8f0 in snmp_read () from /usr/lib64/libnetsnmp.so.5
#11 0x000000552aaae0a2 in main () from /usr/sbin/snmptrapd

#0  0x0000002a97257f40 in strlen () from /lib64/tls/libc.so.6
       mallenv = "MALLOC_TRACE"
       malloc_trace_buffer = 0x0
       tr_old_malloc_hook = (void *(*)(size_t, const void *)) 0
       tr_old_memalign_hook = (void *(*)(size_t, size_t, const void *)) 0
       mallstream = (FILE *) 0x0
       tr_old_realloc_hook = (void *(*)(void *, size_t, const void *)) 0
       lock = 0
       tr_old_free_hook = (void (*)(void *, const void *)) 0
       mallwatch = (void *) 0x0
#1  0x0000002a9722aa1c in _IO_vfprintf (s=0x7fbfffe780, format=Variable "format"
is not available.
) at vfprintf.c:1535
       tmp = (const unsigned char *) 0xa <Address 0xa out of bounds>
       thousands_sep = 0x0
       grouping = 0xffffffffffffffff <Address 0xffffffffffffffff out of bounds>
       done = 0
       f = (const unsigned char *) 0x2a95675536 "s%s"
       lead_str_end = (const unsigned char *) 0x2a95675535 "%s%s"
       end_of_spec = Variable "end_of_spec" is not available.

This happens because of the reuse of vaargs when the command is > 1024 (LOGLENGTH).
Patch from Imed Chihi <ichihi@redhat.com>
Comment 1 Bastien Nocera 2006-03-28 10:46:50 EST
Created attachment 126912 [details]
net-snmp-5.1.2-snmp_vlog_varargs_retraversal.patch
Comment 2 Radek Vokal 2006-03-30 04:41:37 EST
Thanks for the patch
Comment 26 Red Hat Bugzilla 2006-08-10 17:32:45 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0421.html

Note You need to log in before you can comment on or make changes to this bug.