Menu

#2511 netsnmp_ds_strings() double freed under multithreading session

64-bit
closed
Niels Baggesen
None
3
2015-01-26
2013-11-21
Yi Hu
No

Hi,

I'm using Net-SNMP 5.4.2.1 library as a SNMP client frame work.
This is a multithreaded client, one session per thread.

However, I saw a possibility which could cause the double free in netsnmp_ds_set_string() under multi-threading:

if (netsnmp_ds_strings[storeid][which] != NULL) {
    free(netsnmp_ds_strings[storeid][which]);   <-----
    netsnmp_ds_strings[storeid][which] = NULL;
}

If thread 1 calling the free() and not yet finished, then the OS switch to thread 2 and run into the same line with the same [storeid][which] as thread 1. This could cause a double free on this point.

The same code exist in the latest version of Net-SNMP.

Do I miss something? I think the net-snmp lib can be use under multithread with one independent session per thread, right?

Discussion

  • Peter Jia

    Peter Jia - 2015-01-14

    I agree with you. I think this bug perhaps is caused by this issue.
    https://sourceforge.net/p/net-snmp/bugs/2268/

     

  • Yi Hu

    Yi Hu - 2015-01-14

    Yeah.. I put lock to resolve the problem.
    And there is another place that has a similar issue.

     

  • Niels Baggesen

    Niels Baggesen - 2015-01-14

    Can you share your patch, please?

     

  • Yi Hu

    Yi Hu - 2015-01-14

    Sorry, I dont have the patch in my hand right now.
    And I think this is just a hack. I don't know if it is proper to use the pthread in net-snmp code.

    snmplib/default_store.c

    include <pthread.h>

    ....
    static pthread_mutex_t m;
    ...
    pthread_mutex_lock(&m);//<-------
    if (netsnmp_ds_strings[storeid][which] != NULL) {
    free(netsnmp_ds_strings[storeid][which]);
    netsnmp_ds_strings[storeid][which] = NULL;
    }
    pthread_mutex_unlock(&m);//<-------
    ....
    ...
    for (i = 0; i < NETSNMP_DS_MAX_IDS; i++) {
    for (j = 0; j < NETSNMP_DS_MAX_SUBIDS; j++) {
    pthread_mutex_lock(&m);//<-------
    if (netsnmp_ds_strings[i][j] != NULL) {
    free(netsnmp_ds_strings[i][j]);
    netsnmp_ds_strings[i][j] = NULL;
    }
    pthread_mutex_unlock(&m);//<-------
    }
    }

     

  • Peter Jia

    Peter Jia - 2015-01-14

    I am just using the patch similar like Yi's. I will do some test later to make sure this fix can work.

     

    Last edit: Peter Jia 2015-01-14

  • Yi Hu

    Yi Hu - 2015-01-14

    Thanks Peter!

    I remember the issue is not quite easy to recreate.
    Somehow, have to call the SNMP API in a high frequency way.
    Anyway, thanks for testing.

     

  • Peter Jia

    Peter Jia - 2015-01-15

    Hi Yi,
    The issue can easily reproduce in our lab. I run the test in our lab with the fix. The issue does not happen. I think the fix is OK.
    But when the fix will check in the release?

    Thank you!
    Peter

     

  • Yi Hu

    Yi Hu - 2015-01-16

    You can ask Niels to review the patch. Thanks.

     

  • Niels Baggesen

    Niels Baggesen - 2015-01-20

    Sorry for the delay in getting back, but it has been some busy weeks ...

    I have attached a patch that should do it "the Net-SNMP way". Please try it out and tell me how it works.

     
    ds_thread.patch

    • Peter Jia

      Peter Jia - 2015-01-21

      Many thanks, Niels.
      I will try your fix when our lab is available.

       

  • Niels Baggesen

    Niels Baggesen - 2015-01-20
    • status: open --> pending
    • assigned_to: Niels Baggesen
     

  • Peter Jia

    Peter Jia - 2015-01-23

    Have run test in our lab, no issue found.

     

  • Niels Baggesen

    Niels Baggesen - 2015-01-26
    • status: pending --> closed
     

  • Niels Baggesen

    Niels Baggesen - 2015-01-26

    Thanks for testing this. The patch has now been applied for all active branches.

     

Log in to post a comment.