Hello, any news on this? I would also read some RFC to help me properly understand the problem and the solution... I just need some hint on how to proceed.
Best regards, Michael On 25.04.2014 16:27, Michael Bunk - Computer Leipzig wrote: > Hello, > > I'm using the Perl module SNMP.pm in asynchronous mode to query some > values from some SNMP agents periodically in a daemon. This used to > crash after some time, so I ran the whole thing (my daemon in Perl) > under gdb to get backtraces and investigate the cause. > > The SNMP.pm uses XS code (which is translated to C code during build) to > call snmplib. The XS code contains a callback function, __snmp_xs_cb, > which is supposed to be called back exactly once by snmplib: when the > SNMP reply was received or the request timed out. __snmp_xs_cb would > then call a callback implemented in Perl by the user of SNMP.pm. > > Most of the time this works well. > > But it turned out that sometimes __snmp_xs_cb would be called *twice* > (or maybe even more often) for the same SNMP request. The problem is, > __snmp_xs_cb uses some dynamically allocated data, cb_data, which is > freed once __snmp_xs_cb is called. So any call after the first > dereferenced a pointer to already freed memory. That use after free > resulted in a crash. > > Using gdb and inspecting the local variables in __snmp_xs_cb after a > crash I could identify the conditions when this mysterious "superfluous > callback" was called: > > int dont_free = (op==1 && reqid==0) || > (pdu && pdu->command == SNMP_MSG_REPORT); > > My problem is: I cannot interpret my findings! > > op==1 means NETSNMP_CALLBACK_OP_RECEIVED_MESSAGE (I should have used the > symbolic value instead of the literal 1, but I got it from gdb), OK. > Every request is assigned a request id "reqid" by snmplib. A reqid of 0 > would be a callback unrelated to any request? Of course not, because > cb_data belongs to a specific request! But what does this condition > indicate then? > > SNMP_MSG_REPORT means some SNMPv3 problem. __snmp_xs_cb will also call > the Perl callback in this case, but to the Perl code it just looks like > a timeout. I think snmplib already handles this case, so it should not > reach the Perl code. Also compare > http://sourceforge.net/p/net-snmp/patches/1256/ . That patch even > prevents snmplib from calling its callback, fixing it one level earlier > in the call stack. But I cannot decide which fix is right. > > Attached patch prevents the use-after-free condition and I would be > grateful if you could explain to me why it works and help me prepare it > for integration into net-snmp master.
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
