Hello list,
We are seeing the
following crash in NET-SNMP-5.2.2 for SNMPD. Looks like, SNMPD is trying to
access freed reginfo, as part of servicing the delegated request when SubAgent
is dead.
Following is the
core for the same.
(gdb) bt
#0 netsnmp_call_handlers (reginfo=0x14300101, reqinfo=0x80f1418, requests=0x80f8d30) at agent_handler.c:465
#1 0x400cbdfe in handle_var_requests (asp=0x80f8710) at snmp_agent.c:2423
#2 0x400cd036 in handle_getnext_loop (asp=0x80f8710) at snmp_agent.c:2844
#3 0x400ce8e2 in check_delayed_request (asp=0x80f8710) at snmp_agent.c:2626
#4 0x400ce9ed in netsnmp_check_outstanding_agent_requests () at snmp_agent.c:2521
#5 0x400ced40 in netsnmp_remove_delegated_requests_for_session (sess=0x80e6f90) at snmp_agent.c:1429
#6 0x400ec001 in close_agentx_session (session=0x80d5080, sessid=-1) at mibgroup/agentx/master_admin.c:154
#7 0x400ec91d in handle_master_agentx_packet (operation=5, session=0x80d5080, reqid=0, pdu=0x0, magic=0x0)
at mibgroup/agentx/master_admin.c:490
#8 0x401429c9 in _sess_read (sessp=0x80b8a60, fdset=0xbfffdf10) at snmp_api.c:5506
#9 0x40142b20 in snmp_sess_read (sessp=0x80b8a60, fdset=0xbfffdf10) at snmp_api.c:5694
#10 0x40142b7d in snmp_read (fdset=0xbfffdf10) at snmp_api.c:5328
#11 0x0804b894 in main (argc=5, argv=0xbffff0c4) at snmpd.c:1170
(gdb) fr 0
#0 netsnmp_call_handlers (reginfo=0x14300101, reqinfo=0x80f1418, requests=0x80f8d30) at agent_handler.c:465
465 if (reginfo->handler == NULL) {
(gdb) p *reginfo
Cannot access memory at address 0x14300101
(gdb) p *reqinfo
$2 = {mode = 161, asp = 0x80f8710, agent_data = 0x0}
(gdb) p *reqinfo->asp
$3 = {mode = 161, session = 0x80d5178, pdu = 0x80f8760, orig_pdu = 0x80f8a48, rw = 1, exact = 1, status = 5, index = 1,
oldmode = 0, next = 0x0, reqinfo = 0x80f1418, requests = 0x80f8d30, treecache = 0x80f9800, bulkcache = 0x0,
treecache_len = 16, treecache_num = 0, cache_store = 0x80bade0, vbcount = 1}
(gdb) p *reqinfo->asp->session
$4 = {version = -1, retries = 5, timeout = 1000000, flags = 0, subsession = 0x0, next = 0x0, peername = 0x0,
remote_port = 0, localname = 0x0, local_port = 0, authenticator = 0, callback = 0x400cefb0 <handle_snmp_packet>,
callback_magic = 0x0, s_errno = 0, s_snmp_errno = 0, sessid = 5, community = 0x80a4be8 "", community_len = 0,
rcvMsgMaxSize = 65507, sndMsgMaxSize = 0, isAuthoritative = 1 '\001', contextEngineID = 0x0, contextEngineIDLen = 0,
engineBoots = 0, engineTime = 0, contextName = 0x80c05f0 "", contextNameLen = 0, securityEngineID = 0x0,
securityEngineIDLen = 0, securityName = 0x0, securityNameLen = 0, securityAuthProto = 0x80bfde8,
securityAuthProtoLen = 10, securityAuthKey = '\0' <repeats 31 times>, securityAuthKeyLen = 0, securityAuthLocalKey = 0x0,
securityAuthLocalKeyLen = 0, securityPrivProto = 0x80c0528, securityPrivProtoLen = 10,
securityPrivKey = '\0' <repeats 31 times>, securityPrivKeyLen = 0, securityPrivLocalKey = 0x0,
securityPrivLocalKeyLen = 0, securityModel = 3, securityLevel = 1, securityInfo = 0x0, myvoid = 0x0}
(gdb) p reqinfo->mode
$6 = 161
(gdb) p requests->requestvb
$9 = (netsnmp_variable_list *) 0x80f87f8
(gdb) p *requests->requestvb
$10 = {next_variable = 0x0, name = 0x80f8810, name_length = 13, type = 5 '\005', val = {integer = 0x80f8a10,
string = 0x80f8a10 "", objid = 0x80f8a10, bitstring = 0x80f8a10 "", counter64 = 0x80f8a10, floatVal = 0x80f8a10,
doubleVal = 0x80f8a10}, val_len = 0, name_loc = {1, 3, 6, 1, 4, 1, 18568, 1, 2, 4, 1, 2, 1, 0 <repeats 17 times>,
65696, 152, 0 <repeats 36 times>, 65848, 152, 0 <repeats 36 times>, 66000, 72, 0, 0, 135205912, 135158496, 13, 0, 0, 0,
0, 1, 0, 0, 135235936, 0, 0, 135158296, 0, 1249, 1076721496, 1076721496},
buf = "\000\000\000\000\002\000\000\000 V\016\b\004\000\000\000\001\000\000\000\003\000\000\000\006\000\000\000\001\000\000\000\004\000\000\000\001\000\000", data = "" dataFreeHook = 0, index = 0}
(gdb) p *requests->requestvb->name
$11 = 1
(gdb) p *requests
$12 = {requestvb = 0x80f87f8, parent_data = 0x0, agent_req_info = 0x80f1418, range_end = 0x0, range_end_len = 13,
delegated = 0, processed = 0, inclusive = 0, status = 0, index = 1, repeat = 0, orig_repeat = 0,
requestvb_start = 0x80f87f8, next = 0x0, prev = 0x0, subtree = 0x80e5a18}
(gdb) p asp->treecache[0].subtree
$19 = (struct netsnmp_subtree_s *) 0x80e5a18
(gdb) p *asp->treecache[0].subtree==============================>Looks like subtree is freed, but not set to null.
$20 = {name_a = 0x80f5f78, namelen = 96 '`', start_a = 0x0, start_len = 13 '\r', end_a = 0x0, end_len = 13 '\r',
variables = 0x0, variables_len = 0, variables_width = 0, label_a = 0x0, session = 0x80e6f90, flags = 2 '\002',
priority = 127 '\177', timeout = 16843311, next = 0x75700604, prev = 0x63696c62, children = 0x40222a2,
range_subid = -1102699403, range_ubound = 33882370, reginfo = 0x14300101, cacheid = 0, global_cacheid = 67175979}
#0 netsnmp_call_handlers (reginfo=0x14300101, reqinfo=0x80f1418, requests=0x80f8d30) at agent_handler.c:465
#1 0x400cbdfe in handle_var_requests (asp=0x80f8710) at snmp_agent.c:2423
#2 0x400cd036 in handle_getnext_loop (asp=0x80f8710) at snmp_agent.c:2844
#3 0x400ce8e2 in check_delayed_request (asp=0x80f8710) at snmp_agent.c:2626
#4 0x400ce9ed in netsnmp_check_outstanding_agent_requests () at snmp_agent.c:2521
#5 0x400ced40 in netsnmp_remove_delegated_requests_for_session (sess=0x80e6f90) at snmp_agent.c:1429
#6 0x400ec001 in close_agentx_session (session=0x80d5080, sessid=-1) at mibgroup/agentx/master_admin.c:154
#7 0x400ec91d in handle_master_agentx_packet (operation=5, session=0x80d5080, reqid=0, pdu=0x0, magic=0x0)
at mibgroup/agentx/master_admin.c:490
#8 0x401429c9 in _sess_read (sessp=0x80b8a60, fdset=0xbfffdf10) at snmp_api.c:5506
#9 0x40142b20 in snmp_sess_read (sessp=0x80b8a60, fdset=0xbfffdf10) at snmp_api.c:5694
#10 0x40142b7d in snmp_read (fdset=0xbfffdf10) at snmp_api.c:5328
#11 0x0804b894 in main (argc=5, argv=0xbffff0c4) at snmpd.c:1170
(gdb) fr 0
#0 netsnmp_call_handlers (reginfo=0x14300101, reqinfo=0x80f1418, requests=0x80f8d30) at agent_handler.c:465
465 if (reginfo->handler == NULL) {
(gdb) p *reginfo
Cannot access memory at address 0x14300101
(gdb) p *reqinfo
$2 = {mode = 161, asp = 0x80f8710, agent_data = 0x0}
(gdb) p *reqinfo->asp
$3 = {mode = 161, session = 0x80d5178, pdu = 0x80f8760, orig_pdu = 0x80f8a48, rw = 1, exact = 1, status = 5, index = 1,
oldmode = 0, next = 0x0, reqinfo = 0x80f1418, requests = 0x80f8d30, treecache = 0x80f9800, bulkcache = 0x0,
treecache_len = 16, treecache_num = 0, cache_store = 0x80bade0, vbcount = 1}
(gdb) p *reqinfo->asp->session
$4 = {version = -1, retries = 5, timeout = 1000000, flags = 0, subsession = 0x0, next = 0x0, peername = 0x0,
remote_port = 0, localname = 0x0, local_port = 0, authenticator = 0, callback = 0x400cefb0 <handle_snmp_packet>,
callback_magic = 0x0, s_errno = 0, s_snmp_errno = 0, sessid = 5, community = 0x80a4be8 "", community_len = 0,
rcvMsgMaxSize = 65507, sndMsgMaxSize = 0, isAuthoritative = 1 '\001', contextEngineID = 0x0, contextEngineIDLen = 0,
engineBoots = 0, engineTime = 0, contextName = 0x80c05f0 "", contextNameLen = 0, securityEngineID = 0x0,
securityEngineIDLen = 0, securityName = 0x0, securityNameLen = 0, securityAuthProto = 0x80bfde8,
securityAuthProtoLen = 10, securityAuthKey = '\0' <repeats 31 times>, securityAuthKeyLen = 0, securityAuthLocalKey = 0x0,
securityAuthLocalKeyLen = 0, securityPrivProto = 0x80c0528, securityPrivProtoLen = 10,
securityPrivKey = '\0' <repeats 31 times>, securityPrivKeyLen = 0, securityPrivLocalKey = 0x0,
securityPrivLocalKeyLen = 0, securityModel = 3, securityLevel = 1, securityInfo = 0x0, myvoid = 0x0}
(gdb) p reqinfo->mode
$6 = 161
(gdb) p requests->requestvb
$9 = (netsnmp_variable_list *) 0x80f87f8
(gdb) p *requests->requestvb
$10 = {next_variable = 0x0, name = 0x80f8810, name_length = 13, type = 5 '\005', val = {integer = 0x80f8a10,
string = 0x80f8a10 "", objid = 0x80f8a10, bitstring = 0x80f8a10 "", counter64 = 0x80f8a10, floatVal = 0x80f8a10,
doubleVal = 0x80f8a10}, val_len = 0, name_loc = {1, 3, 6, 1, 4, 1, 18568, 1, 2, 4, 1, 2, 1, 0 <repeats 17 times>,
65696, 152, 0 <repeats 36 times>, 65848, 152, 0 <repeats 36 times>, 66000, 72, 0, 0, 135205912, 135158496, 13, 0, 0, 0,
0, 1, 0, 0, 135235936, 0, 0, 135158296, 0, 1249, 1076721496, 1076721496},
buf = "\000\000\000\000\002\000\000\000 V\016\b\004\000\000\000\001\000\000\000\003\000\000\000\006\000\000\000\001\000\000\000\004\000\000\000\001\000\000", data = "" dataFreeHook = 0, index = 0}
(gdb) p *requests->requestvb->name
$11 = 1
(gdb) p *requests
$12 = {requestvb = 0x80f87f8, parent_data = 0x0, agent_req_info = 0x80f1418, range_end = 0x0, range_end_len = 13,
delegated = 0, processed = 0, inclusive = 0, status = 0, index = 1, repeat = 0, orig_repeat = 0,
requestvb_start = 0x80f87f8, next = 0x0, prev = 0x0, subtree = 0x80e5a18}
(gdb) p asp->treecache[0].subtree
$19 = (struct netsnmp_subtree_s *) 0x80e5a18
(gdb) p *asp->treecache[0].subtree==============================>Looks like subtree is freed, but not set to null.
$20 = {name_a = 0x80f5f78, namelen = 96 '`', start_a = 0x0, start_len = 13 '\r', end_a = 0x0, end_len = 13 '\r',
variables = 0x0, variables_len = 0, variables_width = 0, label_a = 0x0, session = 0x80e6f90, flags = 2 '\002',
priority = 127 '\177', timeout = 16843311, next = 0x75700604, prev = 0x63696c62, children = 0x40222a2,
range_subid = -1102699403, range_ubound = 33882370, reginfo = 0x14300101, cacheid = 0, global_cacheid = 67175979}
In the above frame,
asp->treecache[0].subtree is freed, but the pointer is not set to null.
What could be the reason?
Did anybody face
this kind of crash in SNMPD? Any fix available?
Please help us.
Regards
Please help us.
Regards
Mahesh
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Net-snmp-users mailing list [email protected] Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users
