Created attachment 364531 [details] Proposed patch Description of problem: When the "show ip protocol" command is issued to a running zebra server, the zebra process will segfault. Version-Release number of selected component (if applicable): quagga-0.98.6-5.el5 How reproducible: 100% Steps to Reproduce: 0. Create a zebra config file (/etc/quagga/zebra.conf) with the following entries: password zebra enable password zebra log file /var/log/quagga/zebra.log no ip forwarding line vty exec-timeout 0 0 1. Run '/usr/sbin/zebra -A 127.0.0.1 -f /etc/quagga/zebra.conf' from the command line. 2. From another terminal on the same system, run: telnet 127.0.0.1 2601 3. In the resulting telnet session, enter the password specified in /etc/quagga/zebra.conf (zebra). 4. In the telnet session, enter the command "show ip protocol". Actual results: The zebra process started in step 1 segfaults. The backtrace in /var/log/quagga/zebra.log will look like: ZEBRA: Received signal 11 at 1253222302 (si_addr 0xc384e502); aborting... Backtrace for 18 stack frames: /usr/lib64/quagga/libzebra.so.0(zlog_backtrace_sigsafe+0x43) /usr/lib64/quagga/libzebra.so.0(zlog_signal+0x1a0) /usr/lib64/quagga/libzebra.so.0 /lib64/libc.so.6 /lib64/libc.so.6(strlen+0x10) /lib64/libc.so.6(_IO_vfprintf+0x4479) /lib64/libc.so.6(__vsnprintf_chk+0xa8) /usr/lib64/quagga/libzebra.so.0(vty_out+0x196) zebra /usr/lib64/quagga/libzebra.so.0 /usr/lib64/quagga/libzebra.so.0(cmd_execute_command+0xe6) /usr/lib64/quagga/libzebra.so.0(vty_command+0x48) /usr/lib64/quagga/libzebra.so.0 /usr/lib64/quagga/libzebra.so.0 /usr/lib64/quagga/libzebra.so.0(thread_call+0x7f) zebra(main+0x35d) /lib64/libc.so.6(__libc_start_main+0xf4) zebra Expected results: No segfault. Information like the following should appear in the telnet session: hostname> show ip protocol Protocol : route-map ------------------------ system : none kernel : none connected : none static : none rip : none ripng : none ospf : none ospf6 : none isis : none bgp : none hsls : none any : none Additional info: The segfault occurs on 64-bit systems. It has been verified to occur on x390x and x86_64. The cause of the segfault is the fact that zebra_route_string() is not being declared in lib/zebra.h, which is included by zebra/zebra_vty.c. The attached patch rectifies this error (as well as a couple additional missing definitions). zebra_route_string() is defined in lib/log.c as: 715 const char * 716 zebra_route_string(u_int zroute) but when it is called by show_ip_protocol() in zebra/zebra_vty.c: 1972 DEFUN (show_ip_protocol, 1973 show_ip_protocol_cmd, 1974 "show ip protocol", 1975 SHOW_STR 1976 IP_STR 1977 "IP protocol filtering status\n") 1978 { [...] 1983 for (i=0;i<ZEBRA_ROUTE_MAX;i++) 1984 { 1985 if (proto_rm[AFI_IP][i]) 1986 vty_out (vty, "%-10s : %-10s%s", zebra_route_string(i), 1987 proto_rm[AFI_IP][i], 1988 VTY_NEWLINE); 1989 else 1990 vty_out (vty, "%-10s : none%s", zebra_route_string(i), VT 1990 Y_NEWLINE); [...] zebra_route_string() is compiled as "int zebra_route_string()" because it has no previous declaration. On 64-bit systems, The char* that is returned from zebra_route_string() is truncated to an int , but vty_out() expects a char* so it happily grabs whatever garbage is next to the truncated value and uses it as a char*. The resulting pointer is most likely to be out of bounds, resulting in a segfault. The following messages from the build.log file for quagga-0.98.5-5.el5.x86_64 confirms this:: zebra_vty.c: In function 'ip_protocol': zebra_vty.c:553: warning: implicit declaration of function 'proto_name2num' zebra_vty.c: In function 'show_ip_protocol': zebra_vty.c:1986: warning: implicit declaration of function 'zebra_route_string' zebra_vty.c:1988: warning: format '%-10s' expects type 'char *', but argument 3 has type 'int' zebra_vty.c:1990: warning: format '%-10s' expects type 'char *', but argument 3 has type 'int' zebra_vty.c: In function 'config_write_protocol': zebra_vty.c:2078: warning: format '%s' expects type 'char *', but argument 3 has type 'int' I have verified that, with the attached patch, zebra does not segfault on x86_64 with the reproduction steps listed above.
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. If you would like this request to be reviewed for the next minor release, ask your support representative to set the next rhel-x.y flag to "?".
*** Bug 466846 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0050.html