528583 – Missing declarations cause zebra to segfault

Bug 528583 - Missing declarations cause zebra to segfault

Summary: Missing declarations cause zebra to segfault

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	quagga
Sub Component:
Version:	5.4
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Adam Tkac
QA Contact:	qe-baseos-daemons
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	466846 (view as bug list)
Depends On:
Blocks:	502912 576903
TreeView+	depends on / blocked

Reported:	2009-10-12 23:58 UTC by Bryan Mason
Modified:	2018-10-27 15:20 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-01-08 07:25:09 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Proposed patch (1.02 KB, patch) 2009-10-12 23:58 UTC, Bryan Mason	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:0050	0	normal	SHIPPED_LIVE	quagga bug fix update	2013-01-07 15:28:04 UTC

Description Bryan Mason 2009-10-12 23:58:26 UTC

Created attachment 364531 [details]
Proposed patch

Description of problem:

    When the "show ip protocol" command is issued to a running zebra
    server, the zebra process will segfault.

Version-Release number of selected component (if applicable):

    quagga-0.98.6-5.el5

How reproducible:

    100%

Steps to Reproduce:
 
    0. Create a zebra config file (/etc/quagga/zebra.conf) with the
       following entries:

           password zebra
           enable password zebra
	   log file /var/log/quagga/zebra.log
           no ip forwarding
           line vty
           exec-timeout 0 0

    1. Run '/usr/sbin/zebra -A 127.0.0.1 -f /etc/quagga/zebra.conf'
       from the command line.

    2. From another terminal on the same system, run:
    
           telnet 127.0.0.1 2601

    3. In the resulting telnet session, enter the password specified
       in /etc/quagga/zebra.conf (zebra).

    4. In the telnet session, enter the command "show ip protocol".
  
Actual results:

    The zebra process started in step 1 segfaults.  The backtrace in
    /var/log/quagga/zebra.log will look like:

       ZEBRA: Received signal 11 at 1253222302 (si_addr 0xc384e502); aborting...
       Backtrace for 18 stack frames:
       /usr/lib64/quagga/libzebra.so.0(zlog_backtrace_sigsafe+0x43)
       /usr/lib64/quagga/libzebra.so.0(zlog_signal+0x1a0)
       /usr/lib64/quagga/libzebra.so.0
       /lib64/libc.so.6
       /lib64/libc.so.6(strlen+0x10)
       /lib64/libc.so.6(_IO_vfprintf+0x4479)
       /lib64/libc.so.6(__vsnprintf_chk+0xa8)
       /usr/lib64/quagga/libzebra.so.0(vty_out+0x196)
       zebra
       /usr/lib64/quagga/libzebra.so.0
       /usr/lib64/quagga/libzebra.so.0(cmd_execute_command+0xe6)
       /usr/lib64/quagga/libzebra.so.0(vty_command+0x48)
       /usr/lib64/quagga/libzebra.so.0
       /usr/lib64/quagga/libzebra.so.0
       /usr/lib64/quagga/libzebra.so.0(thread_call+0x7f)
       zebra(main+0x35d)
       /lib64/libc.so.6(__libc_start_main+0xf4)
       zebra 

Expected results:

    No segfault.  Information like the following should appear in the
    telnet session:

        hostname> show ip protocol
        Protocol    : route-map 
        ------------------------
        system      : none
        kernel      : none
        connected   : none
        static      : none
        rip         : none
        ripng       : none
        ospf        : none
        ospf6       : none
        isis        : none
        bgp         : none
        hsls        : none
        any         : none
        
Additional info:

    The segfault occurs on 64-bit systems.  It has been verified to
    occur on x390x and x86_64.

    The cause of the segfault is the fact that zebra_route_string() is
    not being declared in lib/zebra.h, which is included by
    zebra/zebra_vty.c.

    The attached patch rectifies this error (as well as a couple
    additional missing definitions).

    zebra_route_string() is defined in lib/log.c as:

        715 const char *
        716 zebra_route_string(u_int zroute)

    but when it is called by show_ip_protocol() in zebra/zebra_vty.c:

       1972 DEFUN (show_ip_protocol,
       1973        show_ip_protocol_cmd,
       1974        "show ip protocol",
       1975         SHOW_STR
       1976         IP_STR
       1977        "IP protocol filtering status\n")
       1978 {
    [...]
       1983     for (i=0;i<ZEBRA_ROUTE_MAX;i++)
       1984     {
       1985         if (proto_rm[AFI_IP][i])
       1986           vty_out (vty, "%-10s  : %-10s%s", zebra_route_string(i),
       1987                                         proto_rm[AFI_IP][i],
       1988                                         VTY_NEWLINE);
       1989         else
       1990           vty_out (vty, "%-10s  : none%s", zebra_route_string(i), VT
       1990 Y_NEWLINE);
    [...]

    zebra_route_string() is compiled as "int zebra_route_string()"
    because it has no previous declaration.  On 64-bit systems, The
    char* that is returned from zebra_route_string() is truncated to
    an int , but vty_out() expects a char* so it happily grabs
    whatever garbage is next to the truncated value and uses it as a
    char*.  The resulting pointer is most likely to be out of bounds,
    resulting in a segfault.

    The following messages from the build.log file for
    quagga-0.98.5-5.el5.x86_64 confirms this::

        zebra_vty.c: In function 'ip_protocol':
        zebra_vty.c:553: warning: implicit declaration of function
            'proto_name2num'
        zebra_vty.c: In function 'show_ip_protocol':
        zebra_vty.c:1986: warning: implicit declaration of function
            'zebra_route_string'
        zebra_vty.c:1988: warning: format '%-10s' expects type 'char
            *', but argument 3 has type 'int'
        zebra_vty.c:1990: warning: format '%-10s' expects type 'char
            *', but argument 3 has type 'int'
        zebra_vty.c: In function 'config_write_protocol':
        zebra_vty.c:2078: warning: format '%s' expects type 'char *',
            but argument 3 has type 'int'

    I have verified that, with the attached patch, zebra does not
    segfault on x86_64 with the reproduction steps listed above.

Comment 2 RHEL Program Management 2009-11-06 18:55:23 UTC

This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".

Comment 9 Jiri Skala 2010-03-29 08:12:58 UTC

*** Bug 466846 has been marked as a duplicate of this bug. ***

Comment 18 errata-xmlrpc 2013-01-08 07:25:09 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0050.html

Note You need to log in before you can comment on or make changes to this bug.