Hi Bart,

Thanks for your response.

Unfortunately Valgrind doesn't work on our product, due to memory limitations.

By generating backtraces with the help of unstripped binary, , we can see the 
crash happened due to calling snmp_free_pdu() twice
which then calls snmp_free_varbind () function and makes snmp pdu->variables 
pointer getting freed twice.

>From the logs, there are no logs for request for SNMP trap sent . The  crash 
>happened when snmpd service is started.

#4  malloc_printerr (action=3, str=0x7f22b2d43129 "corrupted double-linked 
list", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:4836
#5  0x00007f22b2c58c08 in malloc_consolidate (av=av@entry=0x7f22b2f81660 
<main_arena>) at malloc.c:4086
#6  0x00007f22b2c59b18 in _int_free (av=0x7f22b2f81660 <main_arena>, 
p=0x18730a0, have_lock=0, trim=1) at malloc.c:3977
#7  0x00007f22b4192cd8 in snmp_free_pdu () from /usr/lib64/libnetsnmp.so.30
#8  0x00007f22b4192d24 in snmp_free_pdu () from /usr/lib64/libnetsnmp.so.30
#9  0x00007f22b41938f5 in snmp_sess_close () from /usr/lib64/libnetsnmp.so.30
#10 0x00007f22b4194c2f in snmp_sess_select_info2_flags () from 
/usr/lib64/libnetsnmp.so.30

We are thinking of a defensive fix below to assign the pdu->variables to NULL 
once after calling snmp_free_varbind(), which will avoid the crash if 
snmp_free_pdu() is called twice.

Index: net-snmp-5.7.3/snmplib/snmp_api.c
===================================================================
--- net-snmp-5.7.3.orig/snmplib/snmp_api.c
+++ net-snmp-5.7.3/snmplib/snmp_api.c
@@ -5138,6 +5138,7 @@ snmp_free_pdu(netsnmp_pdu *pdu)
         (*sptr->pdu_free) (pdu);
     }
     snmp_free_varbind(pdu->variables);
+    pdu->variables = NULL;
     SNMP_FREE(pdu->enterprise);
     SNMP_FREE(pdu->community);
     SNMP_FREE(pdu->contextEngineID);

Please let us know if this sounds fine (or) if you think this will have any 
further implications.
We see the subsequent macro "SNMP_FREE" is also setting the variable to NULL, 
after freeing, which is missing in case of pdu->variables.

/** @def SNMP_FREE(s)
    Frees a pointer only if it is !NULL and sets its value to NULL */
#define SNMP_FREE(s)    do { if (s) { free((void *)s); s=NULL; } } while(0)

Thanks,
Kiran

From: Bart Van Assche <bvanass...@acm.org>
Sent: 16 May 2019 16:27
To: Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco) 
<kpam...@cisco.com>; net-snmp-users@lists.sourceforge.net
Subject: Re: Crash at snmp_free_varbind with Net-snmp 5.7.3

Hi Kiran,

I think Valgrind is the right tool to identify the root cause of this crash. 
What is not clear to me and what has not been mentioned in any of your e-mails 
is whether or not any custom MIB implementations (code from outside the 
Net-SNMP source code tree) had been loaded into the snmpd process. There are no 
known memory corruptions in the Net-SNMP code base so this memory corruption is 
probably caused by a custom MIB implementation.

Bart.

On 5/16/19 11:17 AM, Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED 
at Cisco) via Net-snmp-users wrote:
Could you kindly share your inputs on this.

Thanks,
Kiran

From: Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco)
Sent: 12 May 2019 12:43
To: 
'net-snmp-users@lists.sourceforge.net<mailto:net-snmp-users@lists.sourceforge.net>'
 
<net-snmp-users@lists.sourceforge.net><mailto:net-snmp-users@lists.sourceforge.net>
Subject: RE: Crash at snmp_free_varbind with Net-snmp 5.7.3

Hi Team,

Could you please comment on this, in case if this is any known issue.

Thanks,
Kiran

From: Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco)
Sent: 09 May 2019 11:48
To: 
'net-snmp-users@lists.sourceforge.net<mailto:net-snmp-users@lists.sourceforge.net>'
 
<net-snmp-users@lists.sourceforge.net<mailto:net-snmp-users@lists.sourceforge.net>>
Cc: Saravanan Adhikesavan -X (sadhikes - HCL TECHNOLOGIES LIMITED at Cisco) 
<sadhi...@cisco.com<mailto:sadhi...@cisco.com>>; Naresh Pindukuru -X (narpindu 
- HCL TECHNOLOGIES LIMITED at Cisco) 
<narpi...@cisco.com<mailto:narpi...@cisco.com>>; Thivya Radjendirane -X 
(tradjend - HCL TECHNOLOGIES LIMITED at Cisco) 
<tradj...@cisco.com<mailto:tradj...@cisco.com>>; Apparao Podile -X (apodile - 
HCL TECHNOLOGIES LIMITED at Cisco) <apod...@cisco.com<mailto:apod...@cisco.com>>
Subject: Crash at snmp_free_varbind with Net-snmp 5.7.3

Hi Net-snmp team,

We are using Net-snmp 5.7.3 in our product and our customer has reported the 
below crash recently, although it was never hit in our internal tests.

Could you please confirm if this is any know issue and if a patch is available 
for the same.

Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/snmpd -f -Lsd -M+/sw/unicorn/snmp/mibs -Dtrap 
-Dusm -Dinit_mibs -I-sy'.
Program terminated with signal 6, Aborted.
#0  0x00007f22b2c14f57 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:63
#0  0x00007f22b2c14f57 in __GI_raise (sig=sig@entry=6) at 
../nptl/sysdeps/unix/sysv/linux/raise.c:63
        resultvar = 0
        pid = 6103
        selftid = 6103
#1  0x00007f22b2c16418 in __GI_abort () at abort.c:90
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x7ffd12ecebca, sa_sigaction 
= 0x7ffd12ecebca}, sa_mask = {__val = {6, 139787005871808, 2, 140724920970206, 
2, 139787005862892, 1, 139787005871804, 3, 140724920970180, 12, 
139787005871808, 2, 140724920970992, 11, 140724920972752}}, sa_flags = 93, 
sa_restorer = 0x7}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x00007f22b2c52e3b in __libc_message (do_abort=do_abort@entry=2, 
fmt=fmt@entry=0x7f22b2d468a0 "*** glibc detected *** %s: %s: 0x%s ***\n") at 
../sysdeps/unix/sysv/linux/libc_fatal.c:197
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 
0x7ffd12ecf5e0, reg_save_area = 0x7ffd12ecf4f0}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 
0x7ffd12ecf5e0, reg_save_area = 0x7ffd12ecf4f0}}
        fd = 2
        on_2 = <optimized out>
        list = <optimized out>
        nlist = <optimized out>
        cp = <optimized out>
        written = <optimized out>
#3  0x00007f22b2c589be in malloc_printerr (ptr=<optimized out>, 
str=0x7f22b2d43129 "corrupted double-linked list", action=3, ar_ptr=<optimized 
out>) at malloc.c:4855
        buf = "0000000001806d00"
        cp = <optimized out>
#4  malloc_printerr (action=3, str=0x7f22b2d43129 "corrupted double-linked 
list", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:4836
No locals.
#5  0x00007f22b2c58c08 in malloc_consolidate (av=av@entry=0x7f22b2f81660 
<main_arena>) at malloc.c:4086
        fb = <optimized out>
        maxfb = 0x7f22b2f816b0 <main_arena+80>
        p = 0x1806b30
        nextp = 0x0
        unsorted_bin = 0x7f22b2f816b8 <main_arena+88>
        first_unsorted = <optimized out>
        nextchunk = 0x1806d00
        size = 512
        nextsize = <optimized out>
        prevsize = <optimized out>
        nextinuse = <optimized out>
        bck = <optimized out>
        fwd = 0x7f22b2f816d8 <main_arena+120>
#6  0x00007f22b2c59b18 in _int_free (av=0x7f22b2f81660 <main_arena>, 
p=0x18730a0, have_lock=0, trim=1) at malloc.c:3977
        size = 96160
        fb = <optimized out>
        nextchunk = 0x18739a0
        nextsize = 93856
        nextinuse = <optimized out>
        prevsize = <optimized out>
        bck = <optimized out>
        fwd = <optimized out>
        errstr = 0x0
        locked = 1
        __func__ = "_int_free"
#7  0x00007f22b4192cd8 in snmp_free_varbind () from /usr/lib64/libnetsnmp.so.30
No symbol table info available.
#8  0x00007f22b4192d24 in snmp_free_pdu () from /usr/lib64/libnetsnmp.so.30
No symbol table info available.
#9  0x00007f22b41938f5 in snmp_sess_close () from /usr/lib64/libnetsnmp.so.30
No symbol table info available.
#10 0x00007f22b4194c2f in snmp_sess_select_info2_flags () from 
/usr/lib64/libnetsnmp.so.30
No symbol table info available.
#11 0x0000000000403c9a in ?? ()
No symbol table info available.
#12 0x00007f22b2c01865 in __libc_start_main (main=0x4028f0, argc=20, 
ubp_av=0x7ffd12ecfb88, init=<optimized out>, fini=<optimized out>, 
rtld_fini=<optimized out>, stack_end=0x7ffd12ecfb78) at libc-start.c:274
        result = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 4240236755570019627, 
4212360, 140724920974208, 0, 0, -4241690438631797461, -4279196600293372629}, 
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x404950, 0x7ffd12ecfb88}, data 
= {prev = 0x0, cleanup = 0x0, canceltype = 4213072}}}
        not_first_call = <optimized out>
#13 0x00000000004046b1 in ?? ()
No symbol table info available.

Thanks,
Kiran

_______________________________________________
Net-snmp-users mailing list
Net-snmp-users@lists.sourceforge.net
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
  • ... Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco) via Net-snmp-users
    • ... Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco) via Net-snmp-users
    • ... Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco) via Net-snmp-users
      • ... Bart Van Assche
        • ... Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco) via Net-snmp-users
        • ... Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco) via Net-snmp-users

Reply via email to