Red Hat Bugzilla – Bug 306941
ipmitool SOL session segfaults
Last modified: 2015-03-04 20:19:17 EST
Description of problem: If you setup a SOL session in one window ('sol activate'), and deactivate that SOL session in a different window ('sol deactivate'), the SOL session in the original window appears to hang temporarily, but then throws a segmentation fault. Checking the sources it seems there are cases where the SOL packets could be missed, making ipmi_lan_poll_recv() return a NULL pointer. This is fine as long as there is a safety check which there isn't. // Core was generated by `ipmitool -v -I lanplus -U root -a -H x4600-ilom.gsslab.rdu.redhat.com sol activ'. Program terminated with signal 11, Segmentation fault. #0 ipmi_lanplus_recv_sol (intf=0x80aa380) at lanplus.c:2459 2459 if(rsp->session.authtype != 0) (gdb) bt full #0 ipmi_lanplus_recv_sol (intf=0x80aa380) at lanplus.c:2459 rsp = (struct ipmi_rs *) 0x0 #1 0x0807db28 in ipmi_lanplus_send_payload (intf=0x80aa380, payload=0xbf884294) at lanplus.c:2167 rsp = (struct ipmi_rs *) 0x0 msg_data = (uint8_t *) 0x95daab8 "\006" msg_length = 64 session = (struct ipmi_session *) 0x95d9210 try = 0 __PRETTY_FUNCTION__ = "ipmi_lanplus_send_payload" // So: -- struct ipmi_rs * ipmi_lanplus_recv_sol(struct ipmi_intf * intf) { struct ipmi_rs * rsp = ipmi_lan_poll_recv(intf); if(rsp->session.authtype != 0) <-- here we have the segv. -- Further down: -- rsp = ipmi_lan_recv_packet(intf); /* * Not positive why we're looping. Do we sometimes get stuff we don't * expect? */ while (rsp != NULL) { -- Loop until we receive a packet but from here : -- /* * SOL */ else if (rsp->session.payloadtype == IPMI_PAYLOAD_TYPE_SOL) { -- Therefore a safety check should be addeed as : - if(rsp->session.authtype != 0) + if(rsp && rsp->session.authtype != 0) (Please see patch) Version-Release number of selected component (if applicable): ipmitool-1.8.8 from OpenIPMI-tools-2.0.6-5.el5.3 How reproducible: Always Steps to Reproduce: 1. In one terminal setup a SOL session with ipmitool \_ % impitool -v -I lanplus -U root -P changeme -H hostname sol activate [SOL Session operational. Use ~? for help] 2. In another terminal and same system run : \_ % impitool -v -I lanplus -U root -P changeme -H hostname sol deactivate Info: SOL payload already de-activated 3. Revert to the first terminal (sol activate) and see that the session received a SEGV. \_ % impitool -v -I lanplus -U root -P changeme -H hostname sol activate [SOL Session operational. Use ~? for help] Segmentation fault (core dump) Actual results: Segmentation Fault. Expected results: No Segmentation Fault. Additional info: Patch attached from the core analysis that also matches 1.8.9 upstream code.
Created attachment 207111 [details] ipmitool-no_SOL_fix.patch
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0330.html