Bug 306941 - ipmitool SOL session segfaults
ipmitool SOL session segfaults
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: OpenIPMI (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Phil Knirsch
: OtherQA, Reopened
Depends On:
  Show dependency treegraph
Reported: 2007-09-26 09:27 EDT by Jose Plans
Modified: 2015-03-04 20:19 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0330
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 10:32:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
ipmitool-no_SOL_fix.patch (433 bytes, text/x-patch)
2007-09-26 09:27 EDT, Jose Plans
no flags Details

  None (edit)
Description Jose Plans 2007-09-26 09:27:34 EDT
Description of problem:

If you setup a SOL session in one window ('sol activate'), and deactivate that
SOL session in a different window ('sol deactivate'), the SOL session in the
original window appears to hang temporarily, but then throws a segmentation fault.

Checking the sources it seems there are cases where the SOL packets could be
missed, making ipmi_lan_poll_recv() return a NULL pointer. This is fine as long
as there is a safety check which there isn't.

Core was generated by `ipmitool -v -I lanplus -U root -a -H
x4600-ilom.gsslab.rdu.redhat.com sol activ'.
Program terminated with signal 11, Segmentation fault.
#0  ipmi_lanplus_recv_sol (intf=0x80aa380) at lanplus.c:2459
2459       if(rsp->session.authtype != 0)
(gdb) bt full
#0  ipmi_lanplus_recv_sol (intf=0x80aa380) at lanplus.c:2459
       rsp = (struct ipmi_rs *) 0x0
#1  0x0807db28 in ipmi_lanplus_send_payload (intf=0x80aa380, payload=0xbf884294)
at lanplus.c:2167
       rsp = (struct ipmi_rs *) 0x0
       msg_data = (uint8_t *) 0x95daab8 "\006"
       msg_length = 64
       session = (struct ipmi_session *) 0x95d9210
       try = 0
       __PRETTY_FUNCTION__ = "ipmi_lanplus_send_payload"

struct ipmi_rs *
ipmi_lanplus_recv_sol(struct ipmi_intf * intf)
       struct ipmi_rs * rsp = ipmi_lan_poll_recv(intf);

  if(rsp->session.authtype != 0) <-- here we have the segv.
Further down:

       rsp = ipmi_lan_recv_packet(intf);

        * Not positive why we're looping.  Do we sometimes get stuff we don't
        * expect?
       while (rsp != NULL) {
Loop until we receive a packet but from here :
--               /*
                * SOL
               else if (rsp->session.payloadtype == IPMI_PAYLOAD_TYPE_SOL)

Therefore a safety check should be addeed as :

-   if(rsp->session.authtype != 0)
+   if(rsp && rsp->session.authtype != 0)

(Please see patch)

Version-Release number of selected component (if applicable):
ipmitool-1.8.8 from OpenIPMI-tools-2.0.6-5.el5.3

How reproducible:

Steps to Reproduce:
1. In one terminal setup a SOL session with ipmitool
   \_ % impitool -v -I lanplus -U root -P changeme -H hostname sol activate
   [SOL Session operational. Use ~? for help]

2. In another terminal and same system run :
   \_ % impitool -v -I lanplus -U root -P changeme -H hostname sol deactivate
    Info: SOL payload already de-activated
3. Revert to the first terminal (sol activate) and see that the session received
   \_ % impitool -v -I lanplus -U root -P changeme -H hostname sol activate
   [SOL Session operational. Use ~? for help]
   Segmentation fault (core dump)

Actual results:
Segmentation Fault.

Expected results:
No Segmentation Fault.

Additional info:
Patch attached from the core analysis that also matches 1.8.9 upstream code.
Comment 1 Jose Plans 2007-09-26 09:27:34 EDT
Created attachment 207111 [details]
Comment 4 RHEL Product and Program Management 2007-10-15 23:38:00 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 14 errata-xmlrpc 2008-05-21 10:32:24 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.