Red Hat Bugzilla – Bug 428785
dhclient 4.0.0-2 causes segv
Last modified: 2018-04-11 05:16:49 EDT
Description of problem: When I upgraded dhclient to 4.0.0-2.fc9 and tried to activate network, it failed with dhclient segv. Version-Release number of selected component (if applicable): dhclient-4.0.0-2.fc9 How reproducible: 100% Steps to Reproduce: 1. ifup eth1 2. 3. Actual results: [root@localhost i386]# LANG=C ifup eth1 Determining IP information for eth1.../etc/sysconfig/network-scripts/ifup-eth: line 297: 20375 Segmentation fault (core dumped) /sbin/dhclient ${DHCLIENTARGS} ${DEVICE} failed. [root@localhost i386]# cd /etc/sysconfig/network-scripts/ [root@localhost network-scripts]# gdb dhclient core.20375 GNU gdb Red Hat Linux (6.7.1-10.fc9rh) Copyright (C) 2007 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"... Using host libthread_db library "/lib/libthread_db.so.1". warning: Can't read pathname for load map: Input/output error. warning: Missing the matching library file: /usr/lib/debug/.build-id/fb/601234f43e181ec146c30341cfedde4486e4e9 warning: Missing the matching library file: /usr/lib/debug/.build-id/7f/8d2ae53f877fdc20b83e7cc4f11ace35da0565 warning: Missing the matching library file: /usr/lib/debug/.build-id/10/d12e928f0dfd302e8c6922e8743ad6786d464d Reading symbols from /lib/libc.so.6... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/fb/601234f43e181ec146c30341cfedde4486e4e9.debug done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/7f/8d2ae53f877fdc20b83e7cc4f11ace35da0565.debug done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2... warning: Missing the separate debug info file: /usr/lib/debug/.build-id/10/d12e928f0dfd302e8c6922e8743ad6786d464d.debug done. Loaded symbols for /lib/libnss_files.so.2 warning: Missing the matching library file: /usr/lib/debug/.build-id/fb/601234f43e181ec146c30341cfedde4486e4e9 warning: Missing the matching library file: /usr/lib/debug/.build-id/7f/8d2ae53f877fdc20b83e7cc4f11ace35da0565 warning: Missing the matching library file: /usr/lib/debug/.build-id/10/d12e928f0dfd302e8c6922e8743ad6786d464d Core was generated by `/sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient-eth1.leases -pf /var/run/dh'. Program terminated with signal 11, Segmentation fault. #0 0x08063331 in get_char (cfile=0x8fcec68) at conflex.c:185 185 c = cfile->inbuf [cfile->bufix]; (gdb) thread apply all bt Thread 1 (process 20375): #0 0x08063331 in get_char (cfile=0x8fcec68) at conflex.c:185 #1 0x080666cf in get_raw_token (cfile=0x8fcec68) at conflex.c:258 #2 0x08066eb8 in get_next_token (rval=0xbfc8bba8, rlen=0x0, cfile=0x8fcec68, raw=isc_boolean_false) at conflex.c:323 #3 0x080770d2 in skip_to_rbrace (cfile=0x8fcec68, brace_count=0) at parse.c:131 #4 0x08077165 in skip_to_semi (cfile=0x8fcec68) at parse.c:97 #5 0x0804ff76 in read_client_leases () at clparse.c:286 #6 0x0805942f in main (argc=8, argv=0xbfc8beb4, envp=0x8fcec84) at dhclient.c:752 #7 0x001274a0 in __libc_start_main () from /lib/libc.so.6 #8 0x0804df01 in _start () (gdb) qui Expected results: ifup succeeds normally Additional info: dhclient-3.1.0-12.fc9 seems no problem.
The dhclient.leases file formats changed in version 4.0.0. I will fix up the postinstall script in the RPM to clean these up on upgrade, but for now you can do this: rm /var/lib/dhclient/* And then run dhclient again. Should work fine after that.
Thank you for information. (In reply to comment #1) > I will fix up the > postinstall script in the RPM to clean these up on upgrade, I want to try this so I will wait for new rpms.
> but for now you can do this: > rm /var/lib/dhclient/* > And then run dhclient again. Should work fine after that. I am afraid that it does not work for me. First of all I saved old leases file for dhclient, restarted an interfarce with a new dhclient-4.0.0-2.fc9 and I do not see any format differences. Only timestamps on renew, rebind and expire fields changed - which is to be fully expected. The second problem is that if there is no /var/lib/dhclient/dhclient-eth1.leases file (I have eth1 on DHCP) then eth1 starts just fine. After that 'ifdown eth1; ifup eth1' causes an instant segfault. Here is what I see in a dumped core after dhcp-debuginfo package was installed: Core was generated by `/sbin/dhclient -1 -q -lf /var/lib/dhclient/dhclient-eth1.leases -pf /var/run/dh'. Program terminated with signal 11, Segmentation fault. #0 0x000000000041b6cf in get_char (cfile=0x8829e0) at conflex.c:185 185 c = cfile->inbuf [cfile->bufix]; (gdb) where #0 0x000000000041b6cf in get_char (cfile=0x8829e0) at conflex.c:185 #1 0x000000000041e5e7 in get_raw_token (cfile=0x8829e0) at conflex.c:258 #2 0x000000000041ec4c in do_peek_token (rval=0x7fffb2410898, rlen=0x0, cfile=0x8829e0, raw=isc_boolean_false) at conflex.c:391 #3 0x000000000042dd5f in skip_to_rbrace (cfile=0x8829e0, brace_count=0) at parse.c:111 #4 0x000000000040a72e in read_client_leases () at clparse.c:286 #5 0x0000000000412112 in main (argc=8, argv=<value optimized out>, envp=<value optimized out>) at dhclient.c:752 #6 0x00000038f701e2b4 in __libc_start_main () from /lib64/libc.so.6 #7 0x0000000000408989 in _start () (gdb) l 180 c = cfile -> read_function (cfile); 181 } else { 182 c = EOF; 183 } 184 } else { 185 c = cfile->inbuf [cfile->bufix]; 186 cfile->bufix++; 187 } 188 189 if (!cfile->ugflag) { (gdb) p cfile $1 = (struct parse *) 0x8829e0 (gdb) p *cfile $2 = {lexline = 29, lexchar = 3647, token_line = 0x882a0c "", prev_line = 0x882a5d "}", cur_line = 0x882a0c "", tlname = 0x7fffb2412aac "/var/lib/dhclient/dhclient-eth1.leases", eol_token = 0, line1 = '\0' <repeats 80 times>, line2 = "}\000rebind 6 2008/01/19 14:40:20;\000om\";\00023.254,199.185.130.12,199.185.130.13;\000\000\000\000\000\000", lpos = 3648, line = 29, tlpos = 3647, tline = 29, token = 0, ugflag = 0, tval = 0x677a78 "", tlen = 1, tokbuf = "\n\000\0008\000e\000e.com\000dentifier", '\0' <repeats 1477 times>, warnings_occurred = 0, file = 4, inbuf = 0x2aaaaab0f000 <Address 0x2aaaaab0f000 out of bounds>, bufix = 4096, buflen = 18446744073709551615, bufsiz = 449, saved_state = 0x0, read_function = 0x41f000 <read_function>} (gdb) Well, cfile->inbuf is clearly a garbage so a segfault is quite appriopriate. An obvious workaround for now is "rm -f" on a leases file before an attempt to bring an interface up. rm -f /var/lib/dhclient/dhclient-${DEVICE}.leases on line 171 in /etc/sysconfig/network-scripts/ifup-eth does work for ethX devices but clearly is not a fix.
rm -f /var/lib/dhclient/dhclient-${DEVICE}.leases This did not work for me. And .3 from koji did not fix the problem? Darwin
> rm -f /var/lib/dhclient/dhclient-${DEVICE}.leases > This did not work for me. Not on a command line! In a file /etc/sysconfig/network-scripts/ifup-eth and then ${DEVICE} is set to an interface you are using. Otherwise you are trying 'rm -f /var/lib/dhclient/dhclient-.leases' and that will silently return doing nothing. > And .3 from koji did not fix the problem? I do not know; but comment #1 misidentifies the issue so chances are quite poor.
So if -3 does not fix the issue, what will work? I am currently running with a known static address after seeing the failure on boot. Should I stick to static vs. dynamic? The router seems to be forgiving without addressing changes to the router set up as a gateway.
> So if -3 does not fix the issue I looked at sources and I do not see anything for dhclient-4.0.0-3.fc9 which would address the issue. Just to confirm I run it and got myself immediately a shiny new core - as expected. > what will work? - applying, properly, a hack from comment #3 will temporary paper over - backing off to dhclient-3.1.0-12.fc9 will work - using a static address, if you can, will avoid the problem; it should NOT be from a range covered by your dynamic pool or you may end up with two different interfaces having the same address.
Hey guys, thanks for all the info. This is a _very_ strange problem that I've never run in to before. I am working on it now and will have a real fix soon. If you have any other info on dhclient-4.0.0-2.fc9, post here.
Well, 'buflen = 18446744073709551615' in a gdb trace I posted translates to 0xffffffffffffffff in hex or -1 if signed. Does that ring a bell? This does not look a healthy length of a buffer unless it was used somewhere as a flag.
Fixed in dhcp-4.0.0-4.fc9. dhclient will now read dhclient.lease files correctly. Homemade parsers irritate me. Thanks again guys for all the troubleshooting help. Helped me track down the problem.
Thanks. dhclient-4.0.0-4.fc9 works for me. Indeed it does not attempt to read past the end of leases file. :-) I did not look what dhcp server from 4.0.0 is doing but if the same parser is used to process old leases then the bug may show in that place too. Or this is just the same parser, period? In that case you fixed both.
The same [bad] parser code is used in both the client and server.
*** Bug 429115 has been marked as a duplicate of this bug. ***
*** Bug 429156 has been marked as a duplicate of this bug. ***