Bug 306941 - ipmitool SOL session segfaults
ipmitool SOL session segfaults
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: OpenIPMI (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Phil Knirsch
: OtherQA, Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-26 09:27 EDT by Jose Plans
Modified: 2015-03-04 20:19 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0330
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 10:32:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
ipmitool-no_SOL_fix.patch (433 bytes, text/x-patch)
2007-09-26 09:27 EDT, Jose Plans
no flags Details

  None (edit)
Description Jose Plans 2007-09-26 09:27:34 EDT
Description of problem:

If you setup a SOL session in one window ('sol activate'), and deactivate that
SOL session in a different window ('sol deactivate'), the SOL session in the
original window appears to hang temporarily, but then throws a segmentation fault.

Checking the sources it seems there are cases where the SOL packets could be
missed, making ipmi_lan_poll_recv() return a NULL pointer. This is fine as long
as there is a safety check which there isn't.

//
Core was generated by `ipmitool -v -I lanplus -U root -a -H
x4600-ilom.gsslab.rdu.redhat.com sol activ'.
Program terminated with signal 11, Segmentation fault.
#0  ipmi_lanplus_recv_sol (intf=0x80aa380) at lanplus.c:2459
2459       if(rsp->session.authtype != 0)
(gdb) bt full
#0  ipmi_lanplus_recv_sol (intf=0x80aa380) at lanplus.c:2459
       rsp = (struct ipmi_rs *) 0x0
#1  0x0807db28 in ipmi_lanplus_send_payload (intf=0x80aa380, payload=0xbf884294)
at lanplus.c:2167
       rsp = (struct ipmi_rs *) 0x0
       msg_data = (uint8_t *) 0x95daab8 "\006"
       msg_length = 64
       session = (struct ipmi_session *) 0x95d9210
       try = 0
       __PRETTY_FUNCTION__ = "ipmi_lanplus_send_payload"
//

So:
--
struct ipmi_rs *
ipmi_lanplus_recv_sol(struct ipmi_intf * intf)
{
       struct ipmi_rs * rsp = ipmi_lan_poll_recv(intf);

  if(rsp->session.authtype != 0) <-- here we have the segv.
--
Further down:
--

       rsp = ipmi_lan_recv_packet(intf);

       /*
        * Not positive why we're looping.  Do we sometimes get stuff we don't
        * expect?
        */
       while (rsp != NULL) {
--
Loop until we receive a packet but from here :
--               /*
                * SOL
                */
               else if (rsp->session.payloadtype == IPMI_PAYLOAD_TYPE_SOL)
               {
--

Therefore a safety check should be addeed as :

-   if(rsp->session.authtype != 0)
+   if(rsp && rsp->session.authtype != 0)

(Please see patch)

Version-Release number of selected component (if applicable):
ipmitool-1.8.8 from OpenIPMI-tools-2.0.6-5.el5.3

How reproducible:
Always

Steps to Reproduce:
1. In one terminal setup a SOL session with ipmitool
   \_ % impitool -v -I lanplus -U root -P changeme -H hostname sol activate
   [SOL Session operational. Use ~? for help]

2. In another terminal and same system run :
   \_ % impitool -v -I lanplus -U root -P changeme -H hostname sol deactivate
    Info: SOL payload already de-activated
  
3. Revert to the first terminal (sol activate) and see that the session received
a SEGV.
   \_ % impitool -v -I lanplus -U root -P changeme -H hostname sol activate
   [SOL Session operational. Use ~? for help]
   Segmentation fault (core dump)

Actual results:
Segmentation Fault.

Expected results:
No Segmentation Fault.

Additional info:
Patch attached from the core analysis that also matches 1.8.9 upstream code.
Comment 1 Jose Plans 2007-09-26 09:27:34 EDT
Created attachment 207111 [details]
ipmitool-no_SOL_fix.patch
Comment 4 RHEL Product and Program Management 2007-10-15 23:38:00 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 14 errata-xmlrpc 2008-05-21 10:32:24 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0330.html

Note You need to log in before you can comment on or make changes to this bug.