684167 – SEGV in snmpd in var_hrswrun() in host/hr_swrun.c.

Bug 684167 - SEGV in snmpd in var_hrswrun() in host/hr_swrun.c.

Summary: SEGV in snmpd in var_hrswrun() in host/hr_swrun.c.

Keywords:
Status:	CLOSED DUPLICATE of bug 683563
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	net-snmp
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Jan Safranek
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:	683142
Blocks:	683563
TreeView+	depends on / blocked

Reported:	2011-03-11 11:18 UTC by Jan Safranek
Modified:	2011-03-11 11:52 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	683142
Environment:
Last Closed:	2011-03-11 11:52:05 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jan Safranek 2011-03-11 11:18:24 UTC

+++ This bug was initially created as a clone of Bug #683142 +++

Description of problem:

Customer is seeing SEGV in var_hrswrun() in host/hr_swrun.c to to failure to check fgets return code.


Version-Release number of selected component (if applicable):

net-snmp-5.3.2.2-5.el5 


How reproducible:

Not easy, it require the tested process to terminate between snmpd opening and reading the status file.

--- Additional comment from mpoole on 2011-03-08 11:43:11 EST ---

-------------------------------------------------------------------------------
Core was generated by `/usr/sbin/snmpd -LS 5d -Lf /dev/null -p /var/run/snmpd.pid -a'.
Program terminated with signal 11, Segmentation fault.
[New process 7428]
[New process 7430]
#0 var_hrswrun (vp=0x7fff2954a070, name=<value optimized out>, length=<value optimized out>,
exact=<value optimized out>, var_len=<value optimized out>, write_method=<value optimized out>)
at host/hr_swrun.c:1152
1152 while (*cp != ' ')
-------------------------------------------------------------------------------

Here is a part of var_hrswrun() to review.
-------------------------------------------------------------------------------
461 u_char *
462 var_hrswrun(struct variable * vp,
463 oid * name,
464 size_t * length,
465 int exact, size_t * var_len, WriteMethod ** write_method)
466 {
<snip>
1143 #elif defined(linux)
1144 sprintf(string, "/proc/%d/stat", pid);
1145 if ((fp = fopen(string, "r")) == NULL) {
1146 long_return = 0;
1147 return (u_char *) & long_return;
1148 }
1149 fgets(buf, sizeof(buf), fp);
1150 cp = buf;
1151 for (i = 0; i < 23; ++i) { /* skip 23 fields */
1152 while (*cp != ' ')
1153 ++cp;
1154 ++cp;
1155 }
1156 long_return = atoi(cp) * (getpagesize() / 1024); /* rss
*/
1157 fclose(fp);

--- Additional comment from jsafrane on 2011-03-11 06:14:25 EST ---

I've fixed it upstream in net-snmp-5.4 and 5.5 branches, SVN rev. 20115.

Comment 1 Jan Safranek 2011-03-11 11:52:05 UTC

Oops, better check BZ before cloning :)

*** This bug has been marked as a duplicate of bug 683563 ***

Note You need to log in before you can comment on or make changes to this bug.