On Thu, 2008-06-05 at 20:22 +0000, Chris Larson wrote: > I've run into a segmentation fault in net-snmp version 5.4 on our > product, when there's a cpuIdle > or < alert set up in snmpd.conf. > > The segfault is in snmp_oid_compare, called on line 281 of > agent/mibgroup/disman/event/mteTrigger.c, in mteTrigger_run. vp2->name > is sometimes 0, sometimes other values. > > I've seen vp2 pointing out into the ether, not within the process's > memory space. entry->count is 2 at this point, vp2_prev->next_variable > is pointing out there. vp2_prev seems fine. > > I've also seen vp2 be fine, but vp2->name with an address like "0x131". > > I assume we have some sort of memory management bug here. Occasionally, > seemingly at random, I'll also get a glibc double free warning. This is > x86_64, in one of the montavista distributions. > > If anyone more familiar with this code than I happens to know what could > cause this, I'd appreciate it greatly :) I've been perusing > mteTrigger_run looking for problems surrounding the calls to > snmp_free_varbind, but haven't spotted anything just yet.
Update: Valgrind output: ==9359== Invalid read of size 8 ==9359== at 0x4D641A0: mteTrigger_run (mteTrigger.c:281) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== Address 0x683ccd8 is 16 bytes inside a block of size 1,136 free'd ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== ==9359== Invalid read of size 8 ==9359== at 0x4D641A4: mteTrigger_run (mteTrigger.c:281) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== Address 0x683ccd0 is 8 bytes inside a block of size 1,136 free'd ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== ==9359== Invalid read of size 8 ==9359== at 0x5152DA0: snmp_oid_compare (snmp_api.c:6340) ==9359== by 0x4D641B6: mteTrigger_run (mteTrigger.c:281) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== Address 0x683ccf8 is 48 bytes inside a block of size 1,136 free'd ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== ==9359== Invalid read of size 4 ==9359== at 0x4D641C8: mteTrigger_run (mteTrigger.c:313) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== Address 0x683d130 is 1,128 bytes inside a block of size 1,136 free'd ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== ==9359== Invalid read of size 8 ==9359== at 0x4D641E6: mteTrigger_run (mteTrigger.c:343) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== Address 0x683ccc8 is 0 bytes inside a block of size 1,136 free'd ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== ==9359== Invalid read of size 8 ==9359== at 0x514FAFB: snmp_free_varbind (snmp_api.c:5028) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== Address 0x683ccc8 is 0 bytes inside a block of size 1,136 free'd ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== ==9359== Invalid read of size 8 ==9359== at 0x514FA77: snmp_free_var (snmp_api.c:5007) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== Address 0x683ccd0 is 8 bytes inside a block of size 1,136 free'd ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== ==9359== Invalid read of size 8 ==9359== at 0x514FA8C: snmp_free_var (snmp_api.c:5009) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== Address 0x683cce8 is 32 bytes inside a block of size 1,136 free'd ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== ==9359== Invalid read of size 8 ==9359== at 0x514FA9A: snmp_free_var (snmp_api.c:5011) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== Address 0x683d120 is 1,112 bytes inside a block of size 1,136 free'd ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== ==9359== Invalid free() / delete / delete[] ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) ==9359== Address 0x683ccc8 is 0 bytes inside a block of size 1,136 free'd ==9359== at 0x4B1AAFE: free (vg_replace_malloc.c:323) ==9359== by 0x514FB02: snmp_free_varbind (snmp_api.c:5029) ==9359== by 0x4D647B1: mteTrigger_run (mteTrigger.c:1098) ==9359== by 0x51672CD: run_alarms (snmp_alarm.c:252) ==9359== by 0x403A69: main (snmpd.c:1203) -- Chris Larson Dedicated Engineer Montavista, Inc. Email: clarson AT mvista DOT com Email: clarson AT kergoth DOT com ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Net-snmp-coders mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
