[Pkg-net-snmp-devel] Bug#565635: Crashes when queried

Simon Richter sjr at debian.org
Sun Jan 17 15:06:18 UTC 2010


Package: snmpd
Version: 5.4.2.1~dfsg-5
Severity: grave

Hi,

since the last upgrade, about any GETNEXT request makes snmpd crash,
first logging an assertion failure, then stumbling over what looks like
a null pointer dereference (address 0x20c).

To reproduce, try querying IP-MIB::ipAddressTable:

snmpgetnext -v2c -c private 127.0.0.1 1.3.6.1.2.1.4.34.1 1.3.6.1.2.1.4.34.2 1.3.6.1.2.1.4.34.3

The bug is not specific to IP-MIB, however -- there are a few problems
in this module too, but the crash happens later.

Valgrind log is attached.

   Simon

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: powerpc (ppc)

Kernel: Linux 2.6.32-trunk-powerpc
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages snmpd depends on:
ii  adduser                   3.112          add and remove users and groups
ii  debconf [debconf-2.0]     1.5.28         Debian configuration management sy
ii  libc6                     2.10.2-5       Embedded GNU C Library: Shared lib
ii  libsnmp15                 5.4.2.1~dfsg-4 SNMP (Simple Network Management Pr
ii  libwrap0                  7.6.q-18       Wietse Venema's TCP wrappers libra
ii  lsb-base                  3.2-23         Linux Standard Base 3.2 init scrip

snmpd recommends no packages.

snmpd suggests no packages.

-- debconf information:
  snmpd/upgradefrom521:
-------------- next part --------------
==23677== Memcheck, a memory error detector
==23677== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==23677== Using Valgrind-3.5.0-Debian and LibVEX; rerun with -h for copyright info
==23677== Command: snmpd -Lsd -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid 127.0.0.1
==23677== Parent PID: 23646
==23677== 
==23677== Source and destination overlap in strncpy(0xfd56ea9, 0xfd56ea9, 64)
==23677==    at 0xFFBB4C8: strncpy (mc_replace_strmem.c:329)
==23677==    by 0xFCFD9E3: snmp_log_syslogname (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==    by 0xFCFDA5B: snmp_enable_syslog_ident (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==    by 0xFCFE0FF: snmp_log_options (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==    by 0x10002713: main (in /usr/sbin/snmpd)
==23677== 
==23677== 
==23677== HEAP SUMMARY:
==23677==     in use at exit: 954 bytes in 34 blocks
==23677==   total heap usage: 87 allocs, 53 frees, 7,734 bytes allocated
==23677== 
==23677== 
==23677== HEAP SUMMARY:
==23677==     in use at exit: 954 bytes in 34 blocks
==23677==   total heap usage: 87 allocs, 53 frees, 7,734 bytes allocated
==23677== 
==23677== LEAK SUMMARY:
==23677==    definitely lost: 80 bytes in 2 blocks
==23677==    indirectly lost: 240 bytes in 20 blocks
==23677==      possibly lost: 0 bytes in 0 blocks
==23677==    still reachable: 634 bytes in 12 blocks
==23677==         suppressed: 0 bytes in 0 blocks
==23677== Rerun with --leak-check=full to see details of leaked memory
==23677== 
==23677== For counts of detected and suppressed errors, rerun with: -v
==23677== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 5 from 3)
==23677== LEAK SUMMARY:
==23677==    definitely lost: 80 bytes in 2 blocks
==23677==    indirectly lost: 240 bytes in 20 blocks
==23677==      possibly lost: 0 bytes in 0 blocks
==23677==    still reachable: 634 bytes in 12 blocks
==23677==         suppressed: 0 bytes in 0 blocks
==23677== Rerun with --leak-check=full to see details of leaked memory
==23677== 
==23677== For counts of detected and suppressed errors, rerun with: -v
==23677== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 5 from 3)
==23677== Conditional jump or move depends on uninitialised value(s)
==23677==    at 0xFE7328C: netsnmp_linux_interface_get_if_speed (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE746DB: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE43B1B: netsnmp_access_interface_init (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE7C743: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677== 
==23677== Conditional jump or move depends on uninitialised value(s)
==23677==    at 0xFE74374: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE43B1B: netsnmp_access_interface_init (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE7C743: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677== 
==23677== Conditional jump or move depends on uninitialised value(s)
==23677==    at 0xFE73294: netsnmp_linux_interface_get_if_speed (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE746DB: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE43B1B: netsnmp_access_interface_init (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE7C743: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677== 
==23677== Conditional jump or move depends on uninitialised value(s)
==23677==    at 0xFE7328C: netsnmp_linux_interface_get_if_speed (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE746DB: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE48A4F: ifTable_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE4839B: ??? (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFF0A67B: ??? (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677==    by 0xFF0B027: netsnmp_cache_handler_get (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677==    by 0xFE4813B: _ifTable_initialize_interface (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE167EB: initialize_table_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE16BFF: init_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE7CE53: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677== 
==23677== Conditional jump or move depends on uninitialised value(s)
==23677==    at 0xFE74374: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE48A4F: ifTable_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE4839B: ??? (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFF0A67B: ??? (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677==    by 0xFF0B027: netsnmp_cache_handler_get (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677==    by 0xFE4813B: _ifTable_initialize_interface (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE167EB: initialize_table_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE16BFF: init_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE7CE53: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677== 
==23677== Conditional jump or move depends on uninitialised value(s)
==23677==    at 0xFE73294: netsnmp_linux_interface_get_if_speed (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE746DB: netsnmp_arch_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE438D3: netsnmp_access_interface_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE48A4F: ifTable_container_load (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE4839B: ??? (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFF0A67B: ??? (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677==    by 0xFF0B027: netsnmp_cache_handler_get (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677==    by 0xFE4813B: _ifTable_initialize_interface (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE167EB: initialize_table_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE16BFF: init_ifTable (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0xFE7CE53: init_mib_modules (in /usr/lib/libnetsnmpmibs.so.15.1.2)
==23677==    by 0x10002BC3: main (in /usr/sbin/snmpd)
==23677== 
==23677== Invalid read of size 4
==23677==    at 0xFF18220: ??? (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677==    by 0xFF6A187: netsnmp_call_next_handler (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFF13F0F: table_helper_handler (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677==    by 0xFF6A6B7: netsnmp_call_handlers (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFF5859B: handle_var_requests (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFF5A647: handle_pdu (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFF5D1C7: netsnmp_handle_request (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFF5DF0B: handle_snmp_packet (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFCE2B8B: ??? (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==    by 0xFCE4ACF: _sess_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==    by 0xFCE521B: snmp_sess_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==    by 0xFCE52AB: snmp_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==  Address 0x20c is not stack'd, malloc'd or (recently) free'd
==23677== 
==23677== 
==23677== Process terminating with default action of signal 11 (SIGSEGV)
==23677==  Access not within mapped region at address 0x20C
==23677==    at 0xFF18220: ??? (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677==    by 0xFF6A187: netsnmp_call_next_handler (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFF13F0F: table_helper_handler (in /usr/lib/libnetsnmphelpers.so.15.1.2)
==23677==    by 0xFF6A6B7: netsnmp_call_handlers (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFF5859B: handle_var_requests (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFF5A647: handle_pdu (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFF5D1C7: netsnmp_handle_request (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFF5DF0B: handle_snmp_packet (in /usr/lib/libnetsnmpagent.so.15.1.2)
==23677==    by 0xFCE2B8B: ??? (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==    by 0xFCE4ACF: _sess_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==    by 0xFCE521B: snmp_sess_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==    by 0xFCE52AB: snmp_read (in /usr/lib/libnetsnmp.so.15.1.2)
==23677==  If you believe this happened as a result of a stack
==23677==  overflow in your program's main thread (unlikely but
==23677==  possible), you can try to increase the size of the
==23677==  main thread stack using the --main-stacksize= flag.
==23677==  The main thread stack size used in this run was 8388608.
==23677== 
==23677== HEAP SUMMARY:
==23677==     in use at exit: 776,860 bytes in 17,572 blocks
==23677==   total heap usage: 20,514 allocs, 2,942 frees, 1,292,896 bytes allocated
==23677== 
==23677== LEAK SUMMARY:
==23677==    definitely lost: 764 bytes in 21 blocks
==23677==    indirectly lost: 240 bytes in 20 blocks
==23677==      possibly lost: 0 bytes in 0 blocks
==23677==    still reachable: 775,856 bytes in 17,531 blocks
==23677==         suppressed: 0 bytes in 0 blocks
==23677== Rerun with --leak-check=full to see details of leaked memory
==23677== 
==23677== For counts of detected and suppressed errors, rerun with: -v
==23677== Use --track-origins=yes to see where uninitialised values come from
==23677== ERROR SUMMARY: 74 errors from 8 contexts (suppressed: 5 from 3)


More information about the Pkg-net-snmp-devel mailing list