Bug 284641 - net-snmp segfault in netsnmp_arch_interface_container_load
net-snmp segfault in netsnmp_arch_interface_container_load
Status: CLOSED DUPLICATE of bug 240609
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: net-snmp (Show other bugs)
5.0
x86_64 Linux
medium Severity low
: ---
: ---
Assigned To: Jan Safranek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-10 10:43 EDT by Tor Ake Fransson
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-22 04:26:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tor Ake Fransson 2007-09-10 10:43:32 EDT
Description of problem:
net-snmp coredumps on x86_64

Version-Release number of selected component (if applicable):
5.3.1-14.0.1

How reproducible:
start snmpd on x86_64

Steps to Reproduce:
1. start snmpd with minimal config (snmpd.conf 1 line: rocommunity public)
  
Actual results:
snmpd crashes and the following is in the log:
kernel: snmpd[1633]: segfault at 000000000001a8d0 rip 0000002a96bed560 rsp
0000007fbfffe968 error 4

Expected results:
snmpd running

Additional info:
A post mortem debug shows this stack trace:
#0  0x0000002a96bed560 in strlen () from /lib64/tls/libc.so.6
#1  0x0000002a96bbfa0b in vfprintf () from /lib64/tls/libc.so.6
#2  0x0000002a96bdf434 in vsnprintf () from /lib64/tls/libc.so.6
#3  0x0000002a96bc51e1 in snprintf () from /lib64/tls/libc.so.6
#4  0x0000002a957310a5 in netsnmp_arch_interface_container_load (
    container=0x552abb8870, load_flags=Variable "load_flags" is not available.
) at if-mib/data_access/interface_linux.c:274
#5  0x0000002a957153be in netsnmp_access_interface_container_load (
    container=0x552abb8870, load_flags=0) at if-mib/data_access/interface.c:157
#6  0x0000002a957154ba in netsnmp_access_interface_init ()
    at if-mib/data_access/interface.c:88
#7  0x0000002a95735c99 in init_mib_modules () at mib_modules.c:76
#8  0x000000552aaae6b8 in main (argc=3, argv=0x7fbffff9d8) at snmpd.c:909
(gdb) f 4
#4  0x0000002a957310a5 in netsnmp_arch_interface_container_load (
    container=0x552abb8870, load_flags=Variable "load_flags" is not available.
) at if-mib/data_access/interface_linux.c:274
274         snprintf(line, sizeof(line), proc_sys_basereachable_time, entry->name);
(gdb) print line
$3 = "    lo\000114905340  578581    0    0    0     0          0         0
114905340  578581    0    0    0     0       0         
0\000\000\000\000@\210»*U\000\000\000\210I\207\225*\000\000\000ç0»*U\000\000\000¸0»*U\000\000\000Øùÿ¿\177\000\000\000\003",
'\0' <repeats 15 times>, "\212\006V\225*\000\000\000\001\000\000\000\177", '\0'
<repeats 11 times>...
(gdb) print entry
$4 = (netsnmp_interface_entry *) 0x552abb8c60
(gdb) print entry->name
$5 = 0x552abb8da0 "lo"
(gdb) print proc_sys_basereachable_time
$6 = 0x2a95761d48 "/proc/sys/net/ipv%d/neigh/%s/base_reachable_time_ms"

So the problem seems to be in the patch net-snmp-5.3.1-reachable_ms.patch on
line 59 where the string proc_sys_basereachable_time contains placeholder for
one integer and one string, but only a string is passed as argument to snprintf.
Comment 1 Jan Safranek 2007-10-22 04:26:18 EDT
This should be already fixed in RHEL 5.1.

*** This bug has been marked as a duplicate of 240609 ***

Note You need to log in before you can comment on or make changes to this bug.