#2289 crash during startup when enabling ipv6
application linked with net-snmp library v5.5 runs without problems until it is linked with net-snmp with --enable-ipv6. Then it crashes during startup.
Valgrind points to netsnmp_access_ipaddress_entry_free (ipaddress_common.c:191) where data is freed, but accessed and freed afterwards.
uname -a: Linux dcm 2.6.10-mV01-00-73 #1 Wed Sep 14 18:37:40 CEST 2011 ppc GNU/Linux (montavista)
library configure parameters:
CONFIG_FLAGS=" --disable-applications"
CONFIG_FLAGS+=" --enable-ipv6"
CONFIG_FLAGS+=" --with-transports=UDPIPv6"
CONFIG_FLAGS+=" --disable-mib-loading"
CONFIG_FLAGS+=" --host=powerpc-hardhat-linux"
CONFIG_FLAGS+=" --target=powerpc-hardhat-linux"
CONFIG_FLAGS+=" --with-default-snmp-version=2"
CONFIG_FLAGS+=" --with-endianness=big"
CONFIG_FLAGS+=" --with-logfile=none"
CONFIG_FLAGS+=" --with-persistent-directory=/var/net-snmp"
CONFIG_FLAGS+=" --without-rpm"
CONFIG_FLAGS+=" --with-out-mib-modules='default_modules if-mib ip-mib ip-forward-mib tcp-mib udp-mib utilities if-mib/ifTable ip-mib/data_access'"
CONFIG_FLAGS+=" --with-mib-modules='mibII mibII/at mibII/snmp_mib_5_5 mibII/sysORTable mibII/system_mib mibII/updates mibII/ipv6 if-mib/data_access/interface if-mib/data_access/interface_linux if-mib/data_access/interface_ioctl utilities/execute'"
CONFIG_FLAGS+=" --with-ldflags='-lpthread'"
CONFIG_FLAGS+=" --with-cflags='-g3 -O0'"
Logging:
error on subcontainer 'ia_index' insert (-1)
error on subcontainer 'ia_index' insert (-1)
error on subcontainer 'ia_index' insert (-1)
error on subcontainer 'ia_index' insert (-1)
*** glibc detected *** free(): invalid pointer: 0x10aaa698 ***
GDB:
(gdb) where
#0 0x1069097c in snmp_oid_compare (in_name1=0x0, len1=278082424, in_name2=0x10933070, len2=1) at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/snmplib/snmp_api.c:6654
#1 0x106d90a4 in netsnmp_compare_netsnmp_index (lhs=0x109333f0, rhs=0x10933068) at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/snmplib/container.c:470
#2 0x106d963c in array_qsort (data=0x10932fd0, first=0, last=9, f=0x106d8f1c <netsnmp\_compare\_netsnmp\_index>) at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/snmplib/container_binary_array.c:69
#3 0x106d98e4 in Sort_Array (c=0x10933378) at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/snmplib/container_binary_array.c:110
#4 0x106db26c in _ba_iterator_reset (it=0x109333f0) at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/snmplib/container_binary_array.c:691
#5 0x106db3c0 in _ba_iterator_get (c=0x10933378) at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/snmplib/container_binary_array.c:733
#6 0x1062b410 in _arch_interface_has_ipv6 (if_index=1, flags=0x7ffff864, addr_container=0x10933378) at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/agent/mibgroup/if-mib/data_access/interface_linux.c:197
#7 0x1062c678 in netsnmp_arch_interface_container_load (container=0x10933190, load_flags=0) at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/agent/mibgroup/if-mib/data_access/interface_linux.c:585
#8 0x106292ac in netsnmp_access_interface_container_load (container=0x10933190, load_flags=0) at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/agent/mibgroup/if-mib/data_access/interface.c:159
#9 0x10628fc0 in netsnmp_access_interface_init () at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/agent/mibgroup/if-mib/data_access/interface.c:88
#10 0x10624548 in init_mib_modules () at /home/verstrs/Projects/libs/net-snmp-5.5/net-snmp-5.5/agent/mib_modules.c:76
#11 0x10584ab0 in CAgentxAgent::InitMIB_Modules (this=0x10911cc8) at /home/verstrs/Projects/DCM_SNMP/Application/Framework/SNMP/AgentxAgent-net-snmp.cpp:163
#12 0x1000d320 in CDCM_SNMP_Agent (this=0x10911cb8, pDCM_Cache=0x1090c128, bDebugSNMP_Agent=false) at /home/verstrs/Projects/DCM_SNMP/Application/Software/Agent/DCM_SNMP_Agent.cpp:138
#13 0x1000bd38 in CDCM_SNMP_Agent::Initialize (pDCM_Cache=0x1090c128, bDebugSNMP_Agent=false) at /home/verstrs/Projects/DCM_SNMP/Application/Software/Agent/DCM_SNMP_Agent.cpp:38
#14 0x10014f3c in InitializeAgent (pDCM_Cache=0x1090c128, bDebugSNMP_Agent=false) at /home/verstrs/Projects/DCM_SNMP/Application/Software/Agent/Agent.cpp:7
#15 0x10164a7c in Root (argc=1, argv=0x7ffffce4) at /home/verstrs/Projects/DCM_SNMP/Application/Software/Root/Root.cpp:86
#16 0x105fd7d0 in main (argc=1, argv=0x7ffffce4) at /home/verstrs/Projects/DCM_SNMP/Application/DCM_SNMP.cpp:21</netsnmp\_compare\_netsnmp\_index>
(gdb) list
6649 /*
6650 * these must be done in seperate comparisons, since
6651 * subtracting them and using that result has problems with
6652 * subids > 2^31.
6653 */
6654 if (*(name1) != *(name2)) {
6655 if (*(name1) < *(name2))
6656 return -1;
6657 return 1;
6658 }
valgrind: see attachment vg-log.txt
relvant entries in valgrind log
The call stack in vg-log.txt refers to an old version of the ip-mib code. Because of scalability concerns that code has been rewritten not too long ago such that it listens to netlink notifications instead of scanning the entire network address table during each Net-SNMP cache reload. Is this behavior reproducible with Net-SNMP 5.7.1rc3 (which will be released one of these days as 5.7.1) ? See also http://www.net-snmp.org/download.html.
Thank you for the comment. I will try 5.7.1rc3 and let you know.
Using 5.7.1 (last night) removes the invalid reads from, but there is still a crash because of a double free:
*** glibc detected *** double free or corruption: 0x309489d8 ***
Gdb didn't show a valid trace, but valgrind shows another invalid free:
==13388== at 0xFFBAD08: free (vg_replace_malloc.c:323)
==13388== by 0x1074FD68: netsnmp_register_old_api (old_api.c:130)
==13388== by 0x10725848: register_mib_context (agent_registry.c:1415)
==13388== by 0x107258EC: register_mib_range (agent_registry.c:1477)
==13388== by 0x10725970: register_mib_priority (agent_registry.c:1523)
==13388== by 0x107259DC: register_mib (agent_registry.c:1562)
==13388== by 0x1061F684: init_vacm_vars (vacm_vars.c:127)
==13388== by 0x10624D58: init_mib_modules (mib_module_inits.h:12)
==13388== by 0x10585270: CAgentxAgent::InitMIB_Modules() (AgentxAgent-net-snmp.cpp:163)
==13388== by 0x1000DAE0: CDCM_SNMP_Agent::CDCM_SNMP_Agent(CDCM_Cache*, bool) (DCM_SNMP_Agent.cpp:138)
==13388== by 0x1000C4F8: CDCM_SNMP_Agent::Initialize(CDCM_Cache*, bool) (DCM_SNMP_Agent.cpp:38)
==13388== by 0x100156FC: InitializeAgent (Agent.cpp:7)
==13388== by 0x1016523C: Root (Root.cpp:86)
==13388== by 0x105FDF90: main (DCM_SNMP.cpp:21)
==13388== Address 0x4141428 is 0 bytes inside a block of size 16 free'd
==13388== at 0xFFBAD08: free (vg_replace_malloc.c:323)
==13388== by 0x1072059C: netsnmp_handler_free (agent_handler.c:694)
==13388== by 0x10720558: netsnmp_handler_free (agent_handler.c:689)
==13388== by 0x107207EC: netsnmp_handler_registration_free (agent_handler.c:765)
==13388== by 0x10722EC0: netsnmp_subtree_free (agent_registry.c:474)
==13388== by 0x10725364: netsnmp_register_mib (agent_registry.c:1234)
==13388== by 0x1071F36C: netsnmp_register_handler (agent_handler.c:305)
==13388== by 0x1074FD48: netsnmp_register_old_api (old_api.c:128)
==13388== by 0x10725848: register_mib_context (agent_registry.c:1415)
==13388== by 0x107258EC: register_mib_range (agent_registry.c:1477)
==13388== by 0x10725970: register_mib_priority (agent_registry.c:1523)
==13388== by 0x107259DC: register_mib (agent_registry.c:1562)
==13388== by 0x1061F684: init_vacm_vars (vacm_vars.c:127)
==13388== by 0x10624D58: init_mib_modules (mib_module_inits.h:12)
==13388== by 0x10585270: CAgentxAgent::InitMIB_Modules() (AgentxAgent-net-snmp.cpp:163)
==13388== by 0x1000DAE0: CDCM_SNMP_Agent::CDCM_SNMP_Agent(CDCM_Cache*, bool) (DCM_SNMP_Agent.cpp:138)
==13388== by 0x1000C4F8: CDCM_SNMP_Agent::Initialize(CDCM_Cache*, bool) (DCM_SNMP_Agent.cpp:38)
==13388== by 0x100156FC: InitializeAgent (Agent.cpp:7)
==13388== by 0x1016523C: Root (Root.cpp:86)
==13388== by 0x105FDF90: main (DCM_SNMP.cpp:21)
gcc version: ppc_440-gcc (GCC) 3.4.3 (MontaVista 3.4.3-25.0.156.1001317 2010-03-14)
If the patch below fixes the double free, I'll commit it:
[PATCH] CHANGES: agent: Avoid that netsnmp_register_old_api() failure triggers a double free.
---
agent/helpers/old_api.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/agent/helpers/old_api.c b/agent/helpers/old_api.c
index b1630e6..2d710b0 100644
--- a/agent/helpers/old_api.c
+++ b/agent/helpers/old_api.c
@@ -127,7 +127,7 @@ netsnmp_register_old_api(const char *moduleName,
*/
if (netsnmp_register_handler(reginfo) != MIB_REGISTERED_OK) {
/** netsnmp_handler_registration_free(reginfo); already freed */
- SNMP_FREE(vp);
+ /* SNMP_FREE(vp); already freed */
}
}
return SNMPERR_SUCCESS;
Thanks, the patch works: no more crash and no valgrind reports and perfect communication with client (IPv4 and IPv6).
1 remark: there was some issue with the leading spaces of the patch, but I assume that this is due to html...
Thanks for the bug report!
We've fixed the problem in the main development
tree (SVN trunk), so it should be fixed in the next major
release of the Net-SNMP package.