Bug 913614 - Certain names makes wins name lookup crash
Summary: Certain names makes wins name lookup crash
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 18
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1000780 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-21 15:53 UTC by Bart Van Assche
Modified: 2014-02-05 19:22 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-02-05 19:22:15 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
/etc/samba/smb.conf (11.34 KB, text/plain)
2013-02-21 16:20 UTC, Bart Van Assche
no flags Details

Description Bart Van Assche 2013-02-21 15:53:59 UTC
Description of problem: wins name lookup from inside Net-SNMP triggers a crash for certain names


Version-Release number of selected component (if applicable):

rpm -qf /usr/lib/libsmbconf.so.0
samba-libs-4.0.3-1.fc18.i686

How reproducible: 100%


Steps to Reproduce:
1. Check out master branch of Net-SNMP.
2. Build the Net-SNMP source code.
3. echo "com2sec t407a no.such.address. c407a" >snmpd.conf
4. Run the following command:
LD_LIBRARY_PATH=agent/.libs:snmplib/.libs valgrind agent/.libs/snmpd -Mmibs -f -d -r -U -Lo  -C -c snmpd.conf udp:127.0.0.1:8794

  
Actual results:

==17599== Warning: silly arg (-1095427497) to malloc()
==17599== Invalid read of size 1
==17599==    at 0x41B8F8F2: load_interfaces (in /usr/lib/libsmbconf.so.0)
==17599==    by 0x605701B: _nss_wins_gethostbyname_r (in /usr/lib/libnss_wins.so.2)
==17599==    by 0x6057252: _nss_wins_gethostbyname2_r (in /usr/lib/libnss_wins.so.2)
==17599==    by 0x4112DD03: gethostbyname2_r@@GLIBC_2.1.2 (in /usr/lib/libc-2.16.so)
==17599==    by 0x410F8869: gaih_inet (in /usr/lib/libc-2.16.so)
==17599==    by 0x410FB4BA: getaddrinfo (in /usr/lib/libc-2.16.so)
==17599==    by 0x4392BB9: netsnmp_getaddrinfo (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==    by 0x4392938: netsnmp_gethostbyname_v4 (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==    by 0x43CBD69: netsnmp_udp_parse_security (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==    by 0x4397B50: run_config_handler (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==    by 0x4398FD6: read_config (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==    by 0x439787F: read_config_with_type_when (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==  Address 0xf is not stack'd, malloc'd or (recently) free'd
==17599== 
==17599== 
==17599== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==17599==  Access not within mapped region at address 0xF
==17599==    at 0x41B8F8F2: load_interfaces (in /usr/lib/libsmbconf.so.0)
==17599==    by 0x605701B: _nss_wins_gethostbyname_r (in /usr/lib/libnss_wins.so.2)
==17599==    by 0x6057252: _nss_wins_gethostbyname2_r (in /usr/lib/libnss_wins.so.2)
==17599==    by 0x4112DD03: gethostbyname2_r@@GLIBC_2.1.2 (in /usr/lib/libc-2.16.so)
==17599==    by 0x410F8869: gaih_inet (in /usr/lib/libc-2.16.so)
==17599==    by 0x410FB4BA: getaddrinfo (in /usr/lib/libc-2.16.so)
==17599==    by 0x4392BB9: netsnmp_getaddrinfo (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==    by 0x4392938: netsnmp_gethostbyname_v4 (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==    by 0x43CBD69: netsnmp_udp_parse_security (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==    by 0x4397B50: run_config_handler (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==    by 0x4398FD6: read_config (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==    by 0x439787F: read_config_with_type_when (in /home/bart/software/net-snmp/snmplib/.libs/libnetsnmp.so.30.0.1)
==17599==  If you believe this happened as a result of a stack
==17599==  overflow in your program's main thread (unlikely but
==17599==  possible), you can try to increase the size of the
==17599==  main thread stack using the --main-stacksize= flag.
==17599==  The main thread stack size used in this run was 8388608.

Expected results:

No SIGSEGV

Comment 1 Andreas Schneider 2013-02-21 16:02:40 UTC
Can you install samba-debuginfo and run with gdb instead of valgrind to get a full backtrace?

Also please post your nsswitch.conf and smb.conf.

Comment 2 Bart Van Assche 2013-02-21 16:19:31 UTC
$ grep ^hosts /etc/nsswitch.conf
hosts:      files wins dns myhostname

(gdb) bt
#0  0x41b8f8f2 in load_interfaces () at ../source3/lib/interface.c:524
#1  0xb7ba901c in nss_wins_init () at ../nsswitch/wins.c:57
#2  lookup_byname_backend (count=0xbfffd230, 
    name=0xbfffd2bc "no.such.address.") at ../nsswitch/wins.c:69
#3  _nss_wins_gethostbyname_r (
    hostname=hostname@entry=0xbfffdbe7 "no.such.address.", 
    he=he@entry=0xbfffd93c, buffer=buffer@entry=0xbfffd4b0 "\177", 
    buflen=buflen@entry=916, h_errnop=h_errnop@entry=0xb7bc9708)
    at ../nsswitch/wins.c:303
#4  0xb7ba9253 in _nss_wins_gethostbyname2_r (
    name=0xbfffdbe7 "no.such.address.", af=2, he=0xbfffd93c, 
    buffer=0xbfffd4b0 "\177", buflen=916, h_errnop=0xb7bc9708)
    at ../nsswitch/wins.c:400
#5  0x4112dd04 in __gethostbyname2_r (
    name=name@entry=0xbfffdbe7 "no.such.address.", af=af@entry=2, 
    resbuf=resbuf@entry=0xbfffd93c, buffer=0xbfffd4b0 "\177", 
    buflen=buflen@entry=916, result=0xbfffd938, 
    h_errnop=h_errnop@entry=0xbfffd934) at ../nss/getXXbyYY_r.c:255
#6  0x410f886a in gaih_inet (name=name@entry=0xbfffdbe7 "no.such.address.", 
    service=0xbfffd4b0, req=req@entry=0xbfffdaf8, pai=pai@entry=0xbfffd9e0, 
    naddrs=naddrs@entry=0xbfffd9f0) at ../sysdeps/posix/getaddrinfo.c:584
#7  0x410fb4bb in __GI_getaddrinfo (name=0xbfffdbe7 "no.such.address.", 
    service=<optimized out>, hints=0xbfffdaf8, pai=0xbfffdb18)
    at ../sysdeps/posix/getaddrinfo.c:2359
#8  0xb7c34bba in netsnmp_getaddrinfo () from snmplib/.libs/libnetsnmp.so.30
#9  0xb7c34939 in netsnmp_gethostbyname_v4 ()
   from snmplib/.libs/libnetsnmp.so.30
#10 0xb7c6dd6a in netsnmp_udp_parse_security ()
   from snmplib/.libs/libnetsnmp.so.30
#11 0xb7c39b51 in run_config_handler () from snmplib/.libs/libnetsnmp.so.30
#12 0xb7c3afd7 in read_config () from snmplib/.libs/libnetsnmp.so.30
#13 0xb7c39880 in read_config_with_type_when ()
   from snmplib/.libs/libnetsnmp.so.30
#14 0xb7c3b366 in read_configs_optional () from snmplib/.libs/libnetsnmp.so.30
#15 0xb7c3b4ef in read_configs () from snmplib/.libs/libnetsnmp.so.30
#16 0xb7c15083 in init_snmp () from snmplib/.libs/libnetsnmp.so.30
#17 0x0804b6e9 in main ()

Comment 3 Bart Van Assche 2013-02-21 16:20:27 UTC
Created attachment 700644 [details]
/etc/samba/smb.conf

Comment 4 Andreas Schneider 2013-02-21 17:16:56 UTC
This is really strange. We probe the kernel for the interfaces, then duplicate the memory with and crash when accessing an entry.

523 for (i=0;i<total_probed;i++) {                            
524     if (probed_ifaces[i].flags & IFF_BROADCAST) {

Here we crash.

Earlier we do:

total_probed = get_interfaces(talloc_tos(), ifaces);
if (total_probed > 0) {                                       
    probed_ifaces = (struct iface_struct )memdup(ifaces, sizeof(ifaces[0])*total_probed);

Maybe on your system sizeof(ifaces[0]) * total_probed results in -1095427497

Can you set a breakpoint at load_interfaces() and after line 503 print the values:

p total_probed
p ifaces[0]
p sizeof(ifaces[0])

Comment 5 Bart Van Assche 2013-02-21 17:37:59 UTC
Interface information:

$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:7a:8b:d3 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.102/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::5054:ff:fe7a:8bd3/64 scope link 
       valid_lft forever preferred_lft forever

And the gdb output:

$ LD_LIBRARY_PATH=agent/.libs:snmplib/.libs gdb agent/.libs/snmpd
(gdb) break load_interfaces
Function "load_interfaces" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (load_interfaces) pending.
(gdb) run -Mmibs -f -d -r -U -Lo  -C -c snmpd.conf udp:127.0.0.1:8794
(gdb) Breakpoint 1, load_interfaces () at ../source3/lib/interface.c:495
495     {
(gdb) next
496             struct iface_struct *ifaces = NULL;
(gdb) next
497             const char **ptr = lp_interfaces();
(gdb) next
500             gfree_interfaces();
(gdb) print ptr
$2 = (const char **) 0x0
(gdb) next
503             total_probed = get_interfaces(talloc_tos(), &ifaces);
(gdb) next
505             if (total_probed > 0) {
(gdb) print ifaces[0]
$2 = {name = "lo", '\000' <repeats 13 times>, flags = 65609, ip = {
    ss_family = 10, __ss_align = 0, 
    __ss_padding = '\000' <repeats 15 times>, "\001", '\000' <repeats 103 times>}, netmask = {ss_family = 10, __ss_align = 0, 
    __ss_padding = "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", '\000' <repeats 103 times>}, bcast = {ss_family = 10, __ss_align = 0, 
    __ss_padding = '\000' <repeats 15 times>, "\001", '\000' <repeats 103 times>}}
(gdb) print sizeof(ifaces[0])
$3 = 404
(gdb) next
503             total_probed = get_interfaces(talloc_tos(), &ifaces);
(gdb) next
505             if (total_probed > 0) {
(gdb) next
506                     probed_ifaces = (struct iface_struct *)memdup(ifaces,
(gdb) next
508                     if (!probed_ifaces) {
(gdb) print probed_ifaces
$10 = (struct iface_struct *) 0x0
(gdb) next
506                     probed_ifaces = (struct iface_struct *)memdup(ifaces,
(gdb) next
508                     if (!probed_ifaces) {
(gdb) print probed_ifaces
$11 = (struct iface_struct *) 0xffffffff
(gdb) next
513             TALLOC_FREE(ifaces);
(gdb) next
517             if (!ptr || !*ptr || !**ptr) {
(gdb) next
513             TALLOC_FREE(ifaces);
(gdb) next
517             if (!ptr || !*ptr || !**ptr) {
(gdb) next
518                     if (total_probed <= 0) {
(gdb) next
524                             if (probed_ifaces[i].flags & IFF_BROADCAST) {
(gdb) print i
$4 = 0
(gdb) print probed_ifaces
$5 = (struct iface_struct *) 0xffffffff
(gdb) next
Program received signal SIGSEGV, Segmentation fault.
0x41b8f8f2 in load_interfaces () at ../source3/lib/interface.c:524
524                             if (probed_ifaces[i].flags & IFF_BROADCAST) {

Comment 6 Andreas Schneider 2013-02-27 15:29:56 UTC
This is really strange. I will try to reproduce it here. This is a F18 with all the latest updates?

Comment 7 Bart Van Assche 2013-02-27 15:51:04 UTC
That's correct, this has been observed on up to date F18 system. I had run "yum update -y" shortly before I ran this test.

Comment 8 Andreas Schneider 2013-03-01 07:44:17 UTC
This could be related https://bugzilla.samba.org/show_bug.cgi?id=9666

Comment 9 Bart Van Assche 2013-09-16 18:04:05 UTC
Probably the same issue as https://bugzilla.redhat.com/show_bug.cgi?id=1000780.

Comment 10 Bart Van Assche 2013-09-16 18:05:07 UTC
Candidate fix: http://sourceforge.net/p/net-snmp/mailman/message/31405941/.

Comment 11 Guenther Deschner 2013-09-17 09:39:37 UTC
*** Bug 1000780 has been marked as a duplicate of this bug. ***

Comment 12 Fedora End Of Life 2013-12-21 11:35:41 UTC
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 13 Fedora End Of Life 2014-02-05 19:22:15 UTC
Fedora 18 changed to end-of-life (EOL) status on 2014-01-14. Fedora 18 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.