glibc double free error on snmp_sess_close

[krome...@hotmail.com]

Hi,

I have been trying to solve an annoying problem for a couple of months 
now - so was wondering if anyone has some fresh ideas or pointers on 
what to try next.

I have an application using net-snmp 5.4.2.1 which after some time - 
seemingly proportional to the number of snmp requests - will terminate 
with a glibc double free error. The application is doing repetitive and 
simple SNMP_MSG_GET requests. After some time - could be a number of 
weeks, snmp_synch_response will return STAT_ERROR, and when 
snmp_close(ss) is called - the double free is detected after 
snmp_sess_close calls snmp_free_pdu. (full gdb output at the end).

I have rewritten the code a number of times to no avail, and currently 
uses a similar structure to snmpwalk.c. I have a little script which 
records the VSIZE of the process over time, and there appears to be no 
memory leaking. I have used valgrind to try and detect memory problems, 
and although there are lots of reports none seem to be show-stoppers, 
and there are a lot in net-snmp itself (although am very new to 
valgrand, so am no expert).

These problems started to occur around the time that I started to 
monitor a piece of equipment that can't cope with 32-bit requestIDs, so 
as a result I have the "16bitIDs" config parm set to "yes", but have so 
far not looked into the possibility of there being a 16bitIDs-related 
bug. I am guessing this would be unlikely?

As mentioned - any ideas, pointers would be much appreciated.

Many thanks,
Craig

Starting program: /etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1 72
[Thread debugging using libthread_db enabled]
[New Thread 0x2b066a67a5e0 (LWP 12859)]
Detaching after fork from child process 12862.
No log handling enabled - turning on stderr logging
snmpwander:
*** glibc detected *** /etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1: 
double free or corruption (out): 0x00000000089d4070 ***
======= Backtrace: =========
/lib64/libc.so.6[0x3d0de71ce2]
/lib64/libc.so.6(cfree+0x8c)[0x3d0de7590c]
/usr/local/lib/libnetsnmp.so.15(snmp_free_pdu+0x61)[0x2b066a17b8c1]
/usr/local/lib/libnetsnmp.so.15(snmp_sess_close+0x85)[0x2b066a182355]
/etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1[0x430c18]
/etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1[0x431960]
/etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1[0x40dddc]
/etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1[0x40df6d]
/usr/local/lib/libspread-core.so(E_handle_events+0xa8)[0x2b066a414e38]
/etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1[0x405fd7]
/etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1[0x431662]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x3d0de1d974]
/etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1(__gxx_personality_v0+0x269)[0x405b09]
======= Memory map: ========
00400000-00468000 r-xp 00000000 fd:00 45449228 
/etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1
00667000-00668000 rw-p 00067000 fd:00 45449228 
/etc/mon/mjs/wd/mjsnmppm1/tempgdb/mjsnmppm1
00668000-00682000 rw-p 00668000 00:00 0
0894e000-089f5000 rw-p 0894e000 00:00 0  [heap]
3d0da00000-3d0da1c000 r-xp 00000000 fd:00 44236802  /lib64/ld-2.5.so
3d0dc1b000-3d0dc1c000 r--p 0001b000 fd:00 44236802  /lib64/ld-2.5.so
3d0dc1c000-3d0dc1d000 rw-p 0001c000 fd:00 44236802  /lib64/ld-2.5.so
3d0de00000-3d0df4c000 r-xp 00000000 fd:00 44236805  /lib64/libc-2.5.so
3d0df4c000-3d0e14c000 ---p 0014c000 fd:00 44236805  /lib64/libc-2.5.so
3d0e14c000-3d0e150000 r--p 0014c000 fd:00 44236805  /lib64/libc-2.5.so
3d0e150000-3d0e151000 rw-p 00150000 fd:00 44236805  /lib64/libc-2.5.so
3d0e151000-3d0e156000 rw-p 3d0e151000 00:00 0
3d0e200000-3d0e202000 r-xp 00000000 fd:00 44236812  /lib64/libdl-2.5.so
3d0e202000-3d0e402000 ---p 00002000 fd:00 44236812  /lib64/libdl-2.5.so
3d0e402000-3d0e403000 r--p 00002000 fd:00 44236812  /lib64/libdl-2.5.so
3d0e403000-3d0e404000 rw-p 00003000 fd:00 44236812  /lib64/libdl-2.5.so
3d0e600000-3d0e682000 r-xp 00000000 fd:00 44236822  /lib64/libm-2.5.so
3d0e682000-3d0e881000 ---p 00082000 fd:00 44236822  /lib64/libm-2.5.so
3d0e881000-3d0e882000 r--p 00081000 fd:00 44236822  /lib64/libm-2.5.so
3d0e882000-3d0e883000 rw-p 00082000 fd:00 44236822  /lib64/libm-2.5.so
3d0ea00000-3d0ea16000 r-xp 00000000 fd:00 44236811  /lib64/libpthread-2.5.so
3d0ea16000-3d0ec15000 ---p 00016000 fd:00 44236811  /lib64/libpthread-2.5.so
3d0ec15000-3d0ec16000 r--p 00015000 fd:00 44236811  /lib64/libpthread-2.5.so
3d0ec16000-3d0ec17000 rw-p 00016000 fd:00 44236811  /lib64/libpthread-2.5.so
3d0ec17000-3d0ec1b000 rw-p 3d0ec17000 00:00 0
3d0ee00000-3d0ee14000 r-xp 00000000 fd:00 14916464  /usr/lib64/libz.so.1.2.3
3d0ee14000-3d0f013000 ---p 00014000 fd:00 14916464  /usr/lib64/libz.so.1.2.3
3d0f013000-3d0f014000 rw-p 00013000 fd:00 14916464  /usr/lib64/libz.so.1.2.3
3d0fa00000-3d0fa20000 r-xp 00000000 fd:00 14918977  /usr/lib64/libpq.so.4.1
3d0fa20000-3d0fc20000 ---p 00020000 fd:00 14918977  /usr/lib64/libpq.so.4.1
3d0fc20000-3d0fc22000 rw-p 00020000 fd:00 14918977  /usr/lib64/libpq.so.4.1
3d0fe00000-3d0fe0d000 r-xp 00000000 fd:00 44236827 
/lib64/libgcc_s-4.1.2-20080825.so.1
3d0fe0d000-3d1000d000 ---p 0000d000 fd:00 44236827 
/lib64/libgcc_s-4.1.2-20080825.so.1
3d1000d000-3d1000e000 rw-p 0000d000 fd:00 44236827 
/lib64/libgcc_s-4.1.2-20080825.so.1
3d10600000-3d106e6000 r-xp 00000000 fd:00 14920106
Program received signal SIGABRT, Aborted.
0x0000003d0de30215 in raise () from /lib64/libc.so.6

(gdb) backtrace full
#0  0x0000003d0de30215 in raise () from /lib64/libc.so.6
No symbol table info available.
#1  0x0000003d0de31cc0 in abort () from /lib64/libc.so.6
No symbol table info available.
#2  0x0000003d0de6a7fb in __libc_message () from /lib64/libc.so.6
No symbol table info available.
#3  0x0000003d0de71ce2 in _int_free () from /lib64/libc.so.6
No symbol table info available.
#4  0x0000003d0de7590c in free () from /lib64/libc.so.6
No symbol table info available.
#5  0x00002b066a17b8c1 in snmp_free_pdu (pdu=0x89d3f70) at snmp_api.c:5036
         sptr = <value optimized out>
#6  0x00002b066a182355 in snmp_sess_close (sessp=0x89d1dd0) at 
snmp_api.c:1886
         rp = (netsnmp_request_list *) 0x0
         slp = <value optimized out>
         transport = <value optimized out>
         isp = (struct snmp_internal_session *) 0x89c5230
         sesp = <value optimized out>
         sptr = (struct snmp_secmod_def *) 0x0
         __FUNCTION__ = "snmp_sess_close"
#7  0x0000000000430c18 in MJSNMPPM::snmpwander (this=0x894e5a0, startoid=
         {static npos = 18446744073709551615, _M_dataplus = 
{<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data 
fields>}, <No data fields>}, _M_p = 0x7fff409723a0 "h!\235\b"}}, 
useVectors=true, oidvals=<value optimized out>, oidvalssize=34) at 
mjsnmppm1.cpp:792
         pdu = (netsnmp_pdu *) 0x89d3f70
               \000\000Bbuf = "INTEGER: 
85\000\000\000\000\000��\236\b\000\000\000\000 
5\0009\000\000\000\000(�\236\b\000\000\000\000�\027\...@�\177\000\000�?\236\b\000\000\


00\000\000;\215�\r=\000\000\000x�\236\b\000\000\000\000;\215�\r=\000\000\0...@\236\b\000\000\000\000r�\036\205�q\004@��\236\b\000\000\000\000>\nףp=\...@x�\236

6\b\000\000\000\000\000\000\000\000\006+\000\0...@\236\b\000\000\000\000�gj\006+"...
         snmpval = {static npos = 18446744073709551615,
   _M_dataplus = {<std::allocator<char>> = 
{<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data 
fields>}, _M_p = 0x89c8d68 "85"}}
         ss = (netsnmp_session *) 0x89549a0
         response = (netsnmp_pdu *) 0x0
         vars = (netsnmp_variable_list *) 0x7fff40971a60
         running = 0
         status = <value optimized out>
         currentoid = {static npos = 18446744073709551615,
   _M_dataplus = {<std::allocator<char>> = 
{<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data fields>},
     _M_p = 0x89d2398 ".1.3.6.1.4.1.29711.7705"}}
         name = {1, 3, 6, 1, 4, 1, 29711, 7705, 144598696, 7737, 
144598312, 262226966556, 144589880, 140734277032320, 144597656, 
438086664192,
   144597304, 18446744073709551615, 144589928, 144508424, 144596696, 2, 
144596376, 262226365647, 144589976, 262226022722, 144595832, 0, 0,
   4617315517961601024, 144590024, 262229256928, 1, 0, 144594776, 
140734277033136, 64768, 45285430, 1, 33188, 0, 0, 3661, 4096, 16, 
1249347946, 0,
   1197546326, 0, 1197546326, 0, 0, 0, 0, 144590216, 0, 144592712, 
262229268928, 15, 1, 143975520, 262229271904, 144523900, 262226264106, 15,
   262226965339, 1, 143975520, 262229271904, 144523900, 140734277033216, 
262226361327, 1, 33188, 0, 0, 3661, 4096, 16, 262226961142, 8180,
   262226966568, 8, 144523900, 144523900, 262226364048, 0, 262229268928, 
262229269000, 262229269000, 262229256928, 262226623250, 8180,
   18446744073709502464, 183632, 262226274793, 262229254912, 
262226245010, 144523952, 262229268928, 183632, 262226972400, 144532080, 
262226254484,
   140734277033488, 262226361327, 262229269000, 262229269000, 0, 
262229269024, 9549393970, 8589934600, 60697551581744, 144532080, 8208,
   262229268928, 8208, 144523888, 144523872, 262226262353, 262229268928, 
81, 140734277034080, 1, 262229256928, 140734277033792, 8187, 144523888}
         name_length = 8
         oidvalsidx = 22
         exitval = 1
#8  0x0000000000431960 in MJSNMPPM::doCheck (this=0x894e5a0, 
new_checkpoint=false) at mjsnmppm1.cpp:202
         returncode = <value optimized out>
         doubleVal = <value optimized out>
         oidlist = {7680, 7681, 7682, 7683, 7688, 7689, 7690, 7691, 
7692, 7693, 7694, 7695, 7696, 7697, 7698, 7699, 7700, 7701, 7702, 7703, 
7704,
   7705, 7706, 7707, 7708, 7709, 7720, 7721, 7722, 7733, 7734, 7735, 
7736, 7737}
         exitval = <value optimized out>
#9  0x000000000040dddc in MJ::checkLoop (this=0x323b) at MJ.cpp:944
No locals.
#10 0x000000000040df6d in MJ::PROCESS_timer (this=0x894e5a0, code=12859) 
at MJ.cpp:2055
No locals.
#11 0x00002b066a414e38 in E_handle_events () at ../daemon/events.c:610
         num_set = <value optimized out>
         treated = <value optimized out>
         fd = <value optimized out>
         fd_type = <value optimized out>
         i = 2
         j = 252
         timeout = {sec = 0, usec = 252}
         sel_timeout = {tv_sec = 0, tv_usec = 0}
         wait_timeout = {tv_sec = 0, tv_usec = 0}
         current_mask = {{__fds_bits = {0 <repeats 16 times>}}, 
{__fds_bits = {0 <repeats 16 times>}}, {__fds_bits = {0 <repeats 16 
times>}}}
         first = 0
         Round_robin = 0
#12 0x0000000000405fd7 in SP::mainLoop (this=0x894e5a0, sp_user_pfx=
         {static npos = 18446744073709551615, _M_dataplus = 
{<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data 
fields>}, <No data fields>}, _M_p = 0x7fff40972c90 "�zf"}}, sp_group=
         {static npos = 18446744073709551615, _M_dataplus = 
{<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data 
fields>}, <No data fields>}, _M_p = 0x7fff40972c80 "�zf"}}) at SP.cpp:237
No locals.
#13 0x0000000000431662 in main (argv=<value optimized out>) at 
mjsnmppm1.cpp:928
         mjid = <value optimized out>
         e = <value optimized out>


__________ Information from ESET Smart Security, version of virus signature 
database 4304 (20090804) __________

The message was checked by ESET Smart Security.

http://www.eset.com



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders