Bug 466846 - Zebra crashes due to function return size assumption
Zebra crashes due to function return size assumption
Status: CLOSED DUPLICATE of bug 528583
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: quagga (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Jiri Skala
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-14 01:53 EDT by Wade Mealing
Modified: 2014-11-09 17:31 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-03-29 04:12:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Attachment to include the function declaration and relevant header. (797 bytes, patch)
2008-10-14 01:53 EDT, Wade Mealing
no flags Details | Diff

  None (edit)
Description Wade Mealing 2008-10-14 01:53:32 EDT
Created attachment 320254 [details]
Attachment to include the function declaration and relevant header.

Description of problem:

Looks like log.h wasn't included as a header, so the compiler assumed the return type was int.  When it returned a char, (smaller than int on 64 bit) the address that was pointed to was wrong,vsnprintf crashes due to accessing invalid memory.

(gdb) bt
#0  0x00002ad6fc9172b0 in strlen () from /lib64/libc.so.6
#1  0x00002ad6fc8e5729 in _IO_vfprintf_internal (s=0x7fffaf3b8f60, format=<value optimized out>, ap=0x7fffaf3b90e0) at vfprintf.c:1587
#2  0x00002ad6fc983b58 in ___vsnprintf_chk (s=0x7fffaf3b9100 "", maxlen=<value optimized out>, flags=1, slen=<value optimized out>,
   format=0x2ad6fb711a93 "%-10s  : none%s", args=0x7fffaf3b90e0) at vsnprintf_chk.c:65
#3  0x00002ad6fbd57da6 in vty_out (vty=0x2ad6fe5dcb00, format=0x2ad6fb711a93 "%-10s  : none%s") at vty.c:109
#4  0x00002ad6fb704002 in show_ip_protocol (self=<value optimized out>, vty=0x2ad6fe5dcb00, argc=<value optimized out>, argv=<value optimized out>)
   at zebra_vty.c:1990
#5  0x00002ad6fbd5ea36 in cmd_execute_command_real (vline=0x2ad6fe5dc6b0, vty=0x2ad6fe5dcb00, cmd=0x0) at command.c:2090
#6  0x00002ad6fbd5eb46 in cmd_execute_command (vline=0x2ad6fe5dc6b0, vty=0x2ad6fe5dcb00, cmd=0x0, vtysh=0) at command.c:2125
#7  0x00002ad6fbd585c8 in vty_command (vty=0x2ad6fe5dcb00, buf=<value optimized out>) at vty.c:364
#8  0x00002ad6fbd59550 in vty_execute (vty=0xfbd86502) at vty.c:1206
#9  0x00002ad6fbd5a02d in vty_read (thread=<value optimized out>) at vty.c:1419
#10 0x00002ad6fbd6316f in thread_call (thread=0x7fffaf3b9bf0) at thread.c:855
#11 0x00002ad6fb6f8f6d in main (argc=6, argv=0x7fffaf3b9de8) at main.c:381

Hello, this is Quagga (version 0.98.6).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

Password: 
Router> 
Router> show ip protocolConnection closed by foreign host.



Version-Release number of selected component (if applicable):
quagga-0.98.6-5.el5.src.rpm

How reproducible:
Every time

 
Actual results:

Segfault.

Expected results:

Router> show ip protocol
Protocol    : route-map 
------------------------
system      : none
kernel      : none
connected   : none
static      : none
rip         : none
ripng       : none
ospf        : none
ospf6       : none
isis        : none
bgp         : none
hsls        : none
any         : none


Additional info:

Patch attached.
Comment 3 RHEL Product and Program Management 2009-03-26 13:20:48 EDT
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 4 Wade Mealing 2009-06-30 11:15:45 EDT
Proposing again for 5.5.
Comment 7 Jiri Skala 2010-03-29 04:12:58 EDT

*** This bug has been marked as a duplicate of bug 528583 ***

Note You need to log in before you can comment on or make changes to this bug.