Hi Bart,
Thanks for your response.
Unfortunately Valgrind doesn't work on our product, due to memory limitations.
By generating backtraces with the help of unstripped binary, , we can see the
crash happened due to calling snmp_free_pdu() twice
which then calls snmp_free_varbind () function and makes snmp pdu->variables
pointer getting freed twice.
>From the logs, there are no logs for request for SNMP trap sent . The crash
>happened when snmpd service is started.
#4 malloc_printerr (action=3, str=0x7f22b2d43129 "corrupted double-linked
list", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:4836
#5 0x00007f22b2c58c08 in malloc_consolidate (av=av@entry=0x7f22b2f81660
<main_arena>) at malloc.c:4086
#6 0x00007f22b2c59b18 in _int_free (av=0x7f22b2f81660 <main_arena>,
p=0x18730a0, have_lock=0, trim=1) at malloc.c:3977
#7 0x00007f22b4192cd8 in snmp_free_pdu () from /usr/lib64/libnetsnmp.so.30
#8 0x00007f22b4192d24 in snmp_free_pdu () from /usr/lib64/libnetsnmp.so.30
#9 0x00007f22b41938f5 in snmp_sess_close () from /usr/lib64/libnetsnmp.so.30
#10 0x00007f22b4194c2f in snmp_sess_select_info2_flags () from
/usr/lib64/libnetsnmp.so.30
We are thinking of a defensive fix below to assign the pdu->variables to NULL
once after calling snmp_free_varbind(), which will avoid the crash if
snmp_free_pdu() is called twice.
Index: net-snmp-5.7.3/snmplib/snmp_api.c
===================================================================
--- net-snmp-5.7.3.orig/snmplib/snmp_api.c
+++ net-snmp-5.7.3/snmplib/snmp_api.c
@@ -5138,6 +5138,7 @@ snmp_free_pdu(netsnmp_pdu *pdu)
(*sptr->pdu_free) (pdu);
}
snmp_free_varbind(pdu->variables);
+ pdu->variables = NULL;
SNMP_FREE(pdu->enterprise);
SNMP_FREE(pdu->community);
SNMP_FREE(pdu->contextEngineID);
Please let us know if this sounds fine (or) if you think this will have any
further implications.
We see the subsequent macro "SNMP_FREE" is also setting the variable to NULL,
after freeing, which is missing in case of pdu->variables.
/** @def SNMP_FREE(s)
Frees a pointer only if it is !NULL and sets its value to NULL */
#define SNMP_FREE(s) do { if (s) { free((void *)s); s=NULL; } } while(0)
Thanks,
Kiran
From: Bart Van Assche <[email protected]>
Sent: 16 May 2019 16:27
To: Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco)
<[email protected]>; [email protected]
Subject: Re: Crash at snmp_free_varbind with Net-snmp 5.7.3
Hi Kiran,
I think Valgrind is the right tool to identify the root cause of this crash.
What is not clear to me and what has not been mentioned in any of your e-mails
is whether or not any custom MIB implementations (code from outside the
Net-SNMP source code tree) had been loaded into the snmpd process. There are no
known memory corruptions in the Net-SNMP code base so this memory corruption is
probably caused by a custom MIB implementation.
Bart.
On 5/16/19 11:17 AM, Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED
at Cisco) via Net-snmp-users wrote:
Could you kindly share your inputs on this.
Thanks,
Kiran
From: Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco)
Sent: 12 May 2019 12:43
To:
'[email protected]<mailto:[email protected]>'
<[email protected]><mailto:[email protected]>
Subject: RE: Crash at snmp_free_varbind with Net-snmp 5.7.3
Hi Team,
Could you please comment on this, in case if this is any known issue.
Thanks,
Kiran
From: Kiran Kumar Pamula -X (kpamula - HCL TECHNOLOGIES LIMITED at Cisco)
Sent: 09 May 2019 11:48
To:
'[email protected]<mailto:[email protected]>'
<[email protected]<mailto:[email protected]>>
Cc: Saravanan Adhikesavan -X (sadhikes - HCL TECHNOLOGIES LIMITED at Cisco)
<[email protected]<mailto:[email protected]>>; Naresh Pindukuru -X (narpindu
- HCL TECHNOLOGIES LIMITED at Cisco)
<[email protected]<mailto:[email protected]>>; Thivya Radjendirane -X
(tradjend - HCL TECHNOLOGIES LIMITED at Cisco)
<[email protected]<mailto:[email protected]>>; Apparao Podile -X (apodile -
HCL TECHNOLOGIES LIMITED at Cisco) <[email protected]<mailto:[email protected]>>
Subject: Crash at snmp_free_varbind with Net-snmp 5.7.3
Hi Net-snmp team,
We are using Net-snmp 5.7.3 in our product and our customer has reported the
below crash recently, although it was never hit in our internal tests.
Could you please confirm if this is any know issue and if a patch is available
for the same.
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/snmpd -f -Lsd -M+/sw/unicorn/snmp/mibs -Dtrap
-Dusm -Dinit_mibs -I-sy'.
Program terminated with signal 6, Aborted.
#0 0x00007f22b2c14f57 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:63
#0 0x00007f22b2c14f57 in __GI_raise (sig=sig@entry=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:63
resultvar = 0
pid = 6103
selftid = 6103
#1 0x00007f22b2c16418 in __GI_abort () at abort.c:90
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x7ffd12ecebca, sa_sigaction
= 0x7ffd12ecebca}, sa_mask = {__val = {6, 139787005871808, 2, 140724920970206,
2, 139787005862892, 1, 139787005871804, 3, 140724920970180, 12,
139787005871808, 2, 140724920970992, 11, 140724920972752}}, sa_flags = 93,
sa_restorer = 0x7}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007f22b2c52e3b in __libc_message (do_abort=do_abort@entry=2,
fmt=fmt@entry=0x7f22b2d468a0 "*** glibc detected *** %s: %s: 0x%s ***\n") at
../sysdeps/unix/sysv/linux/libc_fatal.c:197
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7ffd12ecf5e0, reg_save_area = 0x7ffd12ecf4f0}}
ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area =
0x7ffd12ecf5e0, reg_save_area = 0x7ffd12ecf4f0}}
fd = 2
on_2 = <optimized out>
list = <optimized out>
nlist = <optimized out>
cp = <optimized out>
written = <optimized out>
#3 0x00007f22b2c589be in malloc_printerr (ptr=<optimized out>,
str=0x7f22b2d43129 "corrupted double-linked list", action=3, ar_ptr=<optimized
out>) at malloc.c:4855
buf = "0000000001806d00"
cp = <optimized out>
#4 malloc_printerr (action=3, str=0x7f22b2d43129 "corrupted double-linked
list", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:4836
No locals.
#5 0x00007f22b2c58c08 in malloc_consolidate (av=av@entry=0x7f22b2f81660
<main_arena>) at malloc.c:4086
fb = <optimized out>
maxfb = 0x7f22b2f816b0 <main_arena+80>
p = 0x1806b30
nextp = 0x0
unsorted_bin = 0x7f22b2f816b8 <main_arena+88>
first_unsorted = <optimized out>
nextchunk = 0x1806d00
size = 512
nextsize = <optimized out>
prevsize = <optimized out>
nextinuse = <optimized out>
bck = <optimized out>
fwd = 0x7f22b2f816d8 <main_arena+120>
#6 0x00007f22b2c59b18 in _int_free (av=0x7f22b2f81660 <main_arena>,
p=0x18730a0, have_lock=0, trim=1) at malloc.c:3977
size = 96160
fb = <optimized out>
nextchunk = 0x18739a0
nextsize = 93856
nextinuse = <optimized out>
prevsize = <optimized out>
bck = <optimized out>
fwd = <optimized out>
errstr = 0x0
locked = 1
__func__ = "_int_free"
#7 0x00007f22b4192cd8 in snmp_free_varbind () from /usr/lib64/libnetsnmp.so.30
No symbol table info available.
#8 0x00007f22b4192d24 in snmp_free_pdu () from /usr/lib64/libnetsnmp.so.30
No symbol table info available.
#9 0x00007f22b41938f5 in snmp_sess_close () from /usr/lib64/libnetsnmp.so.30
No symbol table info available.
#10 0x00007f22b4194c2f in snmp_sess_select_info2_flags () from
/usr/lib64/libnetsnmp.so.30
No symbol table info available.
#11 0x0000000000403c9a in ?? ()
No symbol table info available.
#12 0x00007f22b2c01865 in __libc_start_main (main=0x4028f0, argc=20,
ubp_av=0x7ffd12ecfb88, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7ffd12ecfb78) at libc-start.c:274
result = <optimized out>
unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 4240236755570019627,
4212360, 140724920974208, 0, 0, -4241690438631797461, -4279196600293372629},
mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x404950, 0x7ffd12ecfb88}, data
= {prev = 0x0, cleanup = 0x0, canceltype = 4213072}}}
not_first_call = <optimized out>
#13 0x00000000004046b1 in ?? ()
No symbol table info available.
Thanks,
Kiran
_______________________________________________
Net-snmp-users mailing list
[email protected]
Please see the following page to unsubscribe or change other options:
https://lists.sourceforge.net/lists/listinfo/net-snmp-users
