Bug 466846 - Zebra crashes due to function return size assumption
Summary: Zebra crashes due to function return size assumption
Keywords:
Status: CLOSED DUPLICATE of bug 528583
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: quagga
Version: 5.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jiri Skala
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-14 05:53 UTC by Wade Mealing
Modified: 2014-11-09 22:31 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-29 08:12:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Attachment to include the function declaration and relevant header. (797 bytes, patch)
2008-10-14 05:53 UTC, Wade Mealing 		no flags Details | Diff
View All

Description Wade Mealing 2008-10-14 05:53:32 UTC 
Created attachment 320254 [details]
Attachment to include the function declaration and relevant header.

Description of problem:

Looks like log.h wasn't included as a header, so the compiler assumed the return type was int.  When it returned a char, (smaller than int on 64 bit) the address that was pointed to was wrong,vsnprintf crashes due to accessing invalid memory.

(gdb) bt
#0  0x00002ad6fc9172b0 in strlen () from /lib64/libc.so.6
#1  0x00002ad6fc8e5729 in _IO_vfprintf_internal (s=0x7fffaf3b8f60, format=<value optimized out>, ap=0x7fffaf3b90e0) at vfprintf.c:1587
#2  0x00002ad6fc983b58 in ___vsnprintf_chk (s=0x7fffaf3b9100 "", maxlen=<value optimized out>, flags=1, slen=<value optimized out>,
   format=0x2ad6fb711a93 "%-10s  : none%s", args=0x7fffaf3b90e0) at vsnprintf_chk.c:65
#3  0x00002ad6fbd57da6 in vty_out (vty=0x2ad6fe5dcb00, format=0x2ad6fb711a93 "%-10s  : none%s") at vty.c:109
#4  0x00002ad6fb704002 in show_ip_protocol (self=<value optimized out>, vty=0x2ad6fe5dcb00, argc=<value optimized out>, argv=<value optimized out>)
   at zebra_vty.c:1990
#5  0x00002ad6fbd5ea36 in cmd_execute_command_real (vline=0x2ad6fe5dc6b0, vty=0x2ad6fe5dcb00, cmd=0x0) at command.c:2090
#6  0x00002ad6fbd5eb46 in cmd_execute_command (vline=0x2ad6fe5dc6b0, vty=0x2ad6fe5dcb00, cmd=0x0, vtysh=0) at command.c:2125
#7  0x00002ad6fbd585c8 in vty_command (vty=0x2ad6fe5dcb00, buf=<value optimized out>) at vty.c:364
#8  0x00002ad6fbd59550 in vty_execute (vty=0xfbd86502) at vty.c:1206
#9  0x00002ad6fbd5a02d in vty_read (thread=<value optimized out>) at vty.c:1419
#10 0x00002ad6fbd6316f in thread_call (thread=0x7fffaf3b9bf0) at thread.c:855
#11 0x00002ad6fb6f8f6d in main (argc=6, argv=0x7fffaf3b9de8) at main.c:381

Hello, this is Quagga (version 0.98.6).
Copyright 1996-2005 Kunihiro Ishiguro, et al.


User Access Verification

Password: 
Router> 
Router> show ip protocolConnection closed by foreign host.



Version-Release number of selected component (if applicable):
quagga-0.98.6-5.el5.src.rpm

How reproducible:
Every time

 
Actual results:

Segfault.

Expected results:

Router> show ip protocol
Protocol    : route-map 
------------------------
system      : none
kernel      : none
connected   : none
static      : none
rip         : none
ripng       : none
ospf        : none
ospf6       : none
isis        : none
bgp         : none
hsls        : none
any         : none


Additional info:

Patch attached.
Comment 3 RHEL Program Management 2009-03-26 17:20:48 UTC 
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 4 Wade Mealing 2009-06-30 15:15:45 UTC 
Proposing again for 5.5.
Comment 7 Jiri Skala 2010-03-29 08:12:58 UTC 

*** This bug has been marked as a duplicate of bug 528583 ***
Note You need to log in before you can comment on or make changes to this bug.