#16 SIGSEGV when heavier sol traffic


I use "sol" access to the remote serial console, and when the terminal traffic is bigger (such as when running vi or other fullscreen application), ipmitool crashes with SIGSEGV. I have compiled in with -g, and ran under gdb:

$ gdb ./src/ipmitool
(gdb) r -I lanplus -U user -P pass -H ipmi-myserver

[ start vi on the remote server, edit something, and after a while I got this ]

Program received signal SIGSEGV, Segmentation fault.
0x000000000044376b in ipmi_lanplus_recv_sol (intf=0x6b92e0) at lanplus.c:2459
2459 if(rsp->session.authtype != 0)
(gdb) where
#0 0x000000000044376b in ipmi_lanplus_recv_sol (intf=0x6b92e0)
at lanplus.c:2459
#1 0x00000000004432af in ipmi_lanplus_send_payload (intf=0x6b92e0, All
payload=0x7fff836ce4a0) at lanplus.c:2167
#2 0x00000000004434b9 in ipmi_lanplus_send_sol (intf=0x6b92e0,
v2_payload=0x7fff836ce4a0) at lanplus.c:2298
#3 0x0000000000417b38 in processSolUserInput (intf=0x6b92e0,
input=0x73e080 "a", buffer_length=1) at ipmi_sol.c:1264
#4 0x0000000000417e45 in ipmi_sol_red_pill (intf=0x6b92e0) at ipmi_sol.c:1381
#5 0x0000000000418449 in ipmi_sol_activate (intf=0x6b92e0, looptest=0,
interval=0) at ipmi_sol.c:1608
#6 0x0000000000418820 in ipmi_sol_main (intf=0x6b92e0, argc=1,
argv=0x7fff836cee08) at ipmi_sol.c:1721
#7 0x00000000004389d7 in ipmi_cmd_run (intf=0x6b92e0,
name=0x7fff836cf9d9 "sol", argc=1, argv=0x7fff836cee08) at ipmi_main.c:207
#8 0x0000000000439898 in ipmi_main (argc=11, argv=0x7fff836cedb8,
cmdlist=0x68d000, intflist=0x0) at ipmi_main.c:601
#9 0x0000000000403ddd in main (argc=11, argv=0x7fff836cedb8) at ipmitool.c:115

The client is Fedora 6/x86_64, ipmitool 1.8.8. The server is Tyan Transport VX50 (Tyan S4881+M4881 8-cpu machine), IPMI BMC is Tyan SMDC 3291.

I can add more information (packet dumps, maybe) on request.


  • Logged In: YES
    Originator: YES

    Crap, I did not paste the whole commandline. As you would probably guess, it is

    (gdb) r -I lanplus -U user -P pass -H ipmi-myserver sol activate

  • Luke Suchocki
    Luke Suchocki

    Logged In: YES
    Originator: NO

    I have confirmed this to be an issue as well, with Intel SE7520JR2 board, ipmitool 1.8.8, and the -o intelplus command line option.

    I have been echo'ing data into ipmitool from commandline, and have notices that when the data length exceeds 91 or 92 characters, I received the segfault.

    Could this have something to do with an overflow within an i/o routine?


  • Luke Suchocki
    Luke Suchocki

    Logged In: YES
    Originator: NO

    from plugins/lanplus/lanplus.c:
    While looking for the Ack packet after sending the SOL, we run ipmi_lanplus_recv_sol, then ipmi_lan_poll_recv. When the sent SOL payload is more than 9 less than the "maximum" (which is 100 on my system, actual without error is 91) ipmi_lan_recv_packet times out and returns null to rsp.
    ipmi_lan_poll_recv returns that same null rsp
    ipmi_lanplus_recv_sol then attempts to reference rsp->session.authtype, and we have Segfault.

    These patches seem to fix the issue for me.

    <diff -r ipmitool-1.8.8/lib/ipmi_sol.c ipmitool-1.8.8-sol_segv/lib/ipmi_sol.c
    < int buffer_size = intf->session->sol_data.max_inbound_payload_size;
    > int buffer_size = intf->session->sol_data.max_inbound_payload_size - 9;
    diff -r ipmitool-1.8.8/src/plugins/lanplus/lanplus.c ipmitool-1.8.8-sol_segv/src/plugins/lanplus/lanplus.c
    < if(rsp->session.authtype != 0)
    > if(rsp != NULL)
    > if(rsp->session.authtype != 0)
    > {
    < check_sol_packet_for_new_data(intf, rsp);
    < }
    > check_sol_packet_for_new_data(intf, rsp);
    > }
    > }

    Is there something special about 9 less than the max? Is there overhead within the payload that we can't use for data?

    --Luke Suchocki

  • Zdenek Styblik
    Zdenek Styblik

    • status: open --> closed-out-of-date
    • assigned_to: Zdenek Styblik
    • Group: --> version-unknown
  • Zdenek Styblik
    Zdenek Styblik

    Closing as out-of-date. Open a new ticket if needed be.