#16 SIGSEGV when heavier sol traffic
I use "sol" access to the remote serial console, and when the terminal traffic is bigger (such as when running vi or other fullscreen application), ipmitool crashes with SIGSEGV. I have compiled in with -g, and ran under gdb:
$ gdb ./src/ipmitool
[...]
(gdb) r -I lanplus -U user -P pass -H ipmi-myserver
[ start vi on the remote server, edit something, and after a while I got this ]
Program received signal SIGSEGV, Segmentation fault.
0x000000000044376b in ipmi_lanplus_recv_sol (intf=0x6b92e0) at lanplus.c:2459
2459 if(rsp->session.authtype != 0)
(gdb) where
#0 0x000000000044376b in ipmi_lanplus_recv_sol (intf=0x6b92e0)
at lanplus.c:2459
#1 0x00000000004432af in ipmi_lanplus_send_payload (intf=0x6b92e0, All
payload=0x7fff836ce4a0) at lanplus.c:2167
#2 0x00000000004434b9 in ipmi_lanplus_send_sol (intf=0x6b92e0,
v2_payload=0x7fff836ce4a0) at lanplus.c:2298
#3 0x0000000000417b38 in processSolUserInput (intf=0x6b92e0,
input=0x73e080 "a", buffer_length=1) at ipmi_sol.c:1264
#4 0x0000000000417e45 in ipmi_sol_red_pill (intf=0x6b92e0) at ipmi_sol.c:1381
#5 0x0000000000418449 in ipmi_sol_activate (intf=0x6b92e0, looptest=0,
interval=0) at ipmi_sol.c:1608
#6 0x0000000000418820 in ipmi_sol_main (intf=0x6b92e0, argc=1,
argv=0x7fff836cee08) at ipmi_sol.c:1721
#7 0x00000000004389d7 in ipmi_cmd_run (intf=0x6b92e0,
name=0x7fff836cf9d9 "sol", argc=1, argv=0x7fff836cee08) at ipmi_main.c:207
#8 0x0000000000439898 in ipmi_main (argc=11, argv=0x7fff836cedb8,
cmdlist=0x68d000, intflist=0x0) at ipmi_main.c:601
#9 0x0000000000403ddd in main (argc=11, argv=0x7fff836cedb8) at ipmitool.c:115
(gdb)
The client is Fedora 6/x86_64, ipmitool 1.8.8. The server is Tyan Transport VX50 (Tyan S4881+M4881 8-cpu machine), IPMI BMC is Tyan SMDC 3291.
I can add more information (packet dumps, maybe) on request.
Logged In: YES
user_id=579086
Originator: YES
Crap, I did not paste the whole commandline. As you would probably guess, it is
(gdb) r -I lanplus -U user -P pass -H ipmi-myserver sol activate
^^^^^^^^^^^^
Logged In: YES
user_id=1690482
Originator: NO
I have confirmed this to be an issue as well, with Intel SE7520JR2 board, ipmitool 1.8.8, and the -o intelplus command line option.
I have been echo'ing data into ipmitool from commandline, and have notices that when the data length exceeds 91 or 92 characters, I received the segfault.
Could this have something to do with an overflow within an i/o routine?
--Luke
Logged In: YES
user_id=1690482
Originator: NO
from plugins/lanplus/lanplus.c:
While looking for the Ack packet after sending the SOL, we run ipmi_lanplus_recv_sol, then ipmi_lan_poll_recv. When the sent SOL payload is more than 9 less than the "maximum" (which is 100 on my system, actual without error is 91) ipmi_lan_recv_packet times out and returns null to rsp.
ipmi_lan_poll_recv returns that same null rsp
ipmi_lanplus_recv_sol then attempts to reference rsp->session.authtype, and we have Segfault.
These patches seem to fix the issue for me.
<diff -r ipmitool-1.8.8/lib/ipmi_sol.c ipmitool-1.8.8-sol_segv/lib/ipmi_sol.c
1319c1319
< int buffer_size = intf->session->sol_data.max_inbound_payload_size;
---
> int buffer_size = intf->session->sol_data.max_inbound_payload_size - 9;
diff -r ipmitool-1.8.8/src/plugins/lanplus/lanplus.c ipmitool-1.8.8-sol_segv/src/plugins/lanplus/lanplus.c
2459c2459
< if(rsp->session.authtype != 0)
---
> if(rsp != NULL)
2460a2461,2462
> if(rsp->session.authtype != 0)
> {
2467,2468c2469,2471
< check_sol_packet_for_new_data(intf, rsp);
< }
---
> check_sol_packet_for_new_data(intf, rsp);
> }
> }
Is there something special about 9 less than the max? Is there overhead within the payload that we can't use for data?
--Luke Suchocki
Closing as out-of-date. Open a new ticket if needed be.