Red Hat Bugzilla – Bug 466846
Zebra crashes due to function return size assumption
Last modified: 2014-11-09 17:31:24 EST
Created attachment 320254 [details]
Attachment to include the function declaration and relevant header.
Description of problem:
Looks like log.h wasn't included as a header, so the compiler assumed the return type was int. When it returned a char, (smaller than int on 64 bit) the address that was pointed to was wrong,vsnprintf crashes due to accessing invalid memory.
#0 0x00002ad6fc9172b0 in strlen () from /lib64/libc.so.6
#1 0x00002ad6fc8e5729 in _IO_vfprintf_internal (s=0x7fffaf3b8f60, format=<value optimized out>, ap=0x7fffaf3b90e0) at vfprintf.c:1587
#2 0x00002ad6fc983b58 in ___vsnprintf_chk (s=0x7fffaf3b9100 "", maxlen=<value optimized out>, flags=1, slen=<value optimized out>,
format=0x2ad6fb711a93 "%-10s : none%s", args=0x7fffaf3b90e0) at vsnprintf_chk.c:65
#3 0x00002ad6fbd57da6 in vty_out (vty=0x2ad6fe5dcb00, format=0x2ad6fb711a93 "%-10s : none%s") at vty.c:109
#4 0x00002ad6fb704002 in show_ip_protocol (self=<value optimized out>, vty=0x2ad6fe5dcb00, argc=<value optimized out>, argv=<value optimized out>)
#5 0x00002ad6fbd5ea36 in cmd_execute_command_real (vline=0x2ad6fe5dc6b0, vty=0x2ad6fe5dcb00, cmd=0x0) at command.c:2090
#6 0x00002ad6fbd5eb46 in cmd_execute_command (vline=0x2ad6fe5dc6b0, vty=0x2ad6fe5dcb00, cmd=0x0, vtysh=0) at command.c:2125
#7 0x00002ad6fbd585c8 in vty_command (vty=0x2ad6fe5dcb00, buf=<value optimized out>) at vty.c:364
#8 0x00002ad6fbd59550 in vty_execute (vty=0xfbd86502) at vty.c:1206
#9 0x00002ad6fbd5a02d in vty_read (thread=<value optimized out>) at vty.c:1419
#10 0x00002ad6fbd6316f in thread_call (thread=0x7fffaf3b9bf0) at thread.c:855
#11 0x00002ad6fb6f8f6d in main (argc=6, argv=0x7fffaf3b9de8) at main.c:381
Hello, this is Quagga (version 0.98.6).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
User Access Verification
Router> show ip protocolConnection closed by foreign host.
Version-Release number of selected component (if applicable):
Router> show ip protocol
Protocol : route-map
system : none
kernel : none
connected : none
static : none
rip : none
ripng : none
ospf : none
ospf6 : none
isis : none
bgp : none
hsls : none
any : none
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Proposing again for 5.5.
*** This bug has been marked as a duplicate of bug 528583 ***