[Pkg-net-snmp-devel] Bug#565635: Crashes when queried
Simon Richter
sjr at debian.org
Sun Jan 17 15:06:18 UTC 2010
Package: snmpd
Version: 5.4.2.1~dfsg-5
Severity: grave
Hi,
since the last upgrade, about any GETNEXT request makes snmpd crash,
first logging an assertion failure, then stumbling over what looks like
a null pointer dereference (address 0x20c).
To reproduce, try querying IP-MIB::ipAddressTable:
snmpgetnext -v2c -c private 127.0.0.1 1.3.6.1.2.1.4.34.1 1.3.6.1.2.1.4.34.2 1.3.6.1.2.1.4.34.3
The bug is not specific to IP-MIB, however -- there are a few problems
in this module too, but the crash happens later.
Valgrind log is attached.
Simon
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.32-trunk-powerpc
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages snmpd depends on:
ii adduser 3.112 add and remove users and groups
ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii libc6 2.10.2-5 Embedded GNU C Library: Shared lib
ii libsnmp15 5.4.2.1~dfsg-4 SNMP (Simple Network Management Pr
ii libwrap0 7.6.q-18 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip
snmpd recommends no packages.
snmpd suggests no packages.
-- debconf information:
snmpd/upgradefrom521:
-------------- next part --------------
==23677== Memcheck, a memory error detector
==23677== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==23677== Using Valgrind-3.5.0-Debian and LibVEX; rerun with -h for copyright info
==23677== Command: snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1
==23677== Parent PID: 23646
==23677==
==23677== Source and destination overlap in strncpy(0xfd56ea9, 0xfd56ea9, 64)
==23677== at 0xFFBB4C8: strncpy (mc_replace_strmem.c:329)
==23677== by 0xFCFD9E3: snmp_log_syslogname (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== by 0xFCFDA5B: snmp_enable_syslog_ident (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== by 0xFCFE0FF: snmp_log_options (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== by 0x10002713: main (in /usr/sbin/snmpd)
==23677==
==23677==
==23677== HEAP SUMMARY:
==23677== in use at exit: 954 bytes in 34 blocks
==23677== total heap usage: 87 allocs, 53 frees, 7,734 bytes allocated
==23677==
==23677==
==23677== HEAP SUMMARY:
==23677== in use at exit: 954 bytes in 34 blocks
==23677== total heap usage: 87 allocs, 53 frees, 7,734 bytes allocated
==23677==
==23677== LEAK SUMMARY:
==23677== definitely lost: 80 bytes in 2 blocks
==23677== indirectly lost: 240 bytes in 20 blocks
==23677== possibly lost: 0 bytes in 0 blocks
==23677== still reachable: 634 bytes in 12 blocks
==23677== suppressed: 0 bytes in 0 blocks
==23677== Rerun with --leak-check=full to see details of leaked memory
==23677==
==23677== For counts of detected and suppressed errors, rerun with: -v
==23677== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 5 from 3)
==23677== LEAK SUMMARY:
==23677== definitely lost: 80 bytes in 2 blocks
==23677== indirectly lost: 240 bytes in 20 blocks
==23677== possibly lost: 0 bytes in 0 blocks
==23677== still reachable: 634 bytes in 12 blocks
==23677== suppressed: 0 bytes in 0 blocks
==23677== Rerun with --leak-check=full to see details of leaked memory
==23677==
==23677== For counts of detected and suppressed errors, rerun with: -v
==23677== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 5 from 3)
==23677== Conditional jump or move depends on uninitialised value(s)
==23677== at 0xFE7328C: netsnmp_linux_interface_get_if_speed (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE746DB: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE43B1B: netsnmp_access_interface_init (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE7C743: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677==
==23677== Conditional jump or move depends on uninitialised value(s)
==23677== at 0xFE74374: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE43B1B: netsnmp_access_interface_init (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE7C743: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677==
==23677== Conditional jump or move depends on uninitialised value(s)
==23677== at 0xFE73294: netsnmp_linux_interface_get_if_speed (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE746DB: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE43B1B: netsnmp_access_interface_init (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE7C743: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677==
==23677== Conditional jump or move depends on uninitialised value(s)
==23677== at 0xFE7328C: netsnmp_linux_interface_get_if_speed (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE746DB: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE48A4F: ifTable_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE4839B: ??? (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFF0A67B: ??? (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677== by 0xFF0B027: netsnmp_cache_handler_get (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677== by 0xFE4813B: _ifTable_initialize_interface (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE167EB: initialize_table_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE16BFF: init_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE7CE53: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677==
==23677== Conditional jump or move depends on uninitialised value(s)
==23677== at 0xFE74374: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE48A4F: ifTable_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE4839B: ??? (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFF0A67B: ??? (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677== by 0xFF0B027: netsnmp_cache_handler_get (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677== by 0xFE4813B: _ifTable_initialize_interface (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE167EB: initialize_table_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE16BFF: init_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE7CE53: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677==
==23677== Conditional jump or move depends on uninitialised value(s)
==23677== at 0xFE73294: netsnmp_linux_interface_get_if_speed (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE746DB: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE48A4F: ifTable_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE4839B: ??? (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFF0A67B: ??? (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677== by 0xFF0B027: netsnmp_cache_handler_get (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677== by 0xFE4813B: _ifTable_initialize_interface (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE167EB: initialize_table_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE16BFF: init_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0xFE7CE53: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677== by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677==
==23677== Invalid read of size 4
==23677== at 0xFF18220: ??? (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677== by 0xFF6A187: netsnmp_call_next_handler (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFF13F0F: table_helper_handler (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677== by 0xFF6A6B7: netsnmp_call_handlers (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFF5859B: handle_var_requests (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFF5A647: handle_pdu (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFF5D1C7: netsnmp_handle_request (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFF5DF0B: handle_snmp_packet (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFCE2B8B: ??? (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== by 0xFCE4ACF: _sess_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== by 0xFCE521B: snmp_sess_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== by 0xFCE52AB: snmp_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== Address 0x20c is not stack'd, malloc'd or (recently) free'd
==23677==
==23677==
==23677== Process terminating with default action of signal 11 (SIGSEGV)
==23677== Access not within mapped region at address 0x20C
==23677== at 0xFF18220: ??? (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677== by 0xFF6A187: netsnmp_call_next_handler (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFF13F0F: table_helper_handler (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677== by 0xFF6A6B7: netsnmp_call_handlers (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFF5859B: handle_var_requests (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFF5A647: handle_pdu (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFF5D1C7: netsnmp_handle_request (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFF5DF0B: handle_snmp_packet (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677== by 0xFCE2B8B: ??? (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== by 0xFCE4ACF: _sess_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== by 0xFCE521B: snmp_sess_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== by 0xFCE52AB: snmp_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677== If you believe this happened as a result of a stack
==23677== overflow in your program's main thread (unlikely but
==23677== possible), you can try to increase the size of the
==23677== main thread stack using the --main-stacksize= flag.
==23677== The main thread stack size used in this run was 8388608.
==23677==
==23677== HEAP SUMMARY:
==23677== in use at exit: 776,860 bytes in 17,572 blocks
==23677== total heap usage: 20,514 allocs, 2,942 frees, 1,292,896 bytes allocated
==23677==
==23677== LEAK SUMMARY:
==23677== definitely lost: 764 bytes in 21 blocks
==23677== indirectly lost: 240 bytes in 20 blocks
==23677== possibly lost: 0 bytes in 0 blocks
==23677== still reachable: 775,856 bytes in 17,531 blocks
==23677== suppressed: 0 bytes in 0 blocks
==23677== Rerun with --leak-check=full to see details of leaked memory
==23677==
==23677== For counts of detected and suppressed errors, rerun with: -v
==23677== Use --track-origins=yes to see where uninitialised values come from
==23677== ERROR SUMMARY: 74 errors from 8 contexts (suppressed: 5 from 3)
More information about the Pkg-net-snmp-devel
mailing list