Hi, I have compared net-snmp-5.7.3 and net-snmp-5.8 and I have found, that following callbacks in snmplib/snmp_api.c causes the core dump issue:
--- old/snmplib/snmp_api.c 2019-04-03 12:13:55.126769866 +0200 +++ new/snmplib/snmp_api.c 2019-04-03 12:15:18.353420790 +0200 @@ -6731,9 +6731,9 @@ snmp_resend_request(struct session_list sp->s_snmp_errno = SNMPERR_BAD_SENDTO; sp->s_errno = errno; snmp_set_detail(strerror(errno)); - if (rp->callback) +/* if (rp->callback) rp->callback(NETSNMP_CALLBACK_OP_SEND_FAILED, sp, - rp->pdu->reqid, rp->pdu, rp->cb_data); + rp->pdu->reqid, rp->pdu, rp->cb_data);*/ return -1; } else { netsnmp_get_monotonic_clock(&now); @@ -6743,9 +6743,9 @@ snmp_resend_request(struct session_list tv.tv_sec += tv.tv_usec / 1000000L; tv.tv_usec %= 1000000L; rp->expireM = tv; - if (rp->callback) +/* if (rp->callback) rp->callback(NETSNMP_CALLBACK_OP_RESEND, sp, - rp->pdu->reqid, rp->pdu, rp->cb_data); + rp->pdu->reqid, rp->pdu, rp->cb_data);*/ } return 0; } Without them, all works as expected. Josef Ridky Software Engineer Core Services Team Red Hat Czech, s.r.o. ----- Original Message ----- | From: "Anders Wallin" <walli...@gmail.com> | To: "Josef Ridky" <jri...@redhat.com> | Cc: "net-snmp-coders" <net-snmp-coders@lists.sourceforge.net> | Sent: Tuesday, April 2, 2019 6:27:54 PM | Subject: Re: Core dump with net-snmp-5.8 | | Hi Josef, | I can reproduce the issue using the master branch, I will take a look at it | later tonight or tomorrow | | Regards | Anders Wallin | | | On Tue, Apr 2, 2019 at 3:42 PM Josef Ridky <jri...@redhat.com> wrote: | | > Hi, | > | > thanks for your patch. Unfortunately, even when I have applied it, it | > still ends with core dump due of 'double free or corruption (fasttop)' | > | > When I run snmpd with -Dsnmp_agent,agentx/master it ends with: | > | > agentx/master: sending pdu (req=0x1d4,trans=0x1d3,sess=0x5) | > snmp_agent: delegate session == 0x56207e165240 | > snmp_agent: end of handle_snmp_packet, asp = 0x56207e165240 | > agentx/master: callback resend | > agentx/master: callback resend | > agentx/master: timeout on session 0x56207dfd5400 req=0x1c9 | > agentx/master: close 0x56207dfd5400, -1 | > snmp_agent: removed 40 delegated request(s) for session 0x56207dfce490 | > snmp_agent: processing delegated request, asp = 0x56207e165240 | > snmp_agent: canceling next walk for asp 0x56207e165240 | > snmp_agent: REMOVE session == 0x56207e165240 | > snmp_agent: agent_session 0x56207e165240 released | > snmp_agent: processing delegated request, asp = 0x56207e1041a0 | > snmp_agent: canceling next walk for asp 0x56207e1041a0 | > snmp_agent: REMOVE session == 0x56207e1041a0 | > snmp_agent: agent_session 0x56207e1041a0 released | > snmp_agent: processing delegated request, asp = 0x56207e1656c0 | > snmp_agent: canceling next walk for asp 0x56207e1656c0 | > snmp_agent: REMOVE session == 0x56207e1656c0 | > snmp_agent: agent_session 0x56207e1656c0 released | > snmp_agent: processing delegated request, asp = 0x56207e11af40 | > snmp_agent: canceling next walk for asp 0x56207e11af40 | > snmp_agent: REMOVE session == 0x56207e11af40 | > snmp_agent: agent_session 0x56207e11af40 released | > snmp_agent: processing delegated request, asp = 0x56207e118f00 | > snmp_agent: canceling next walk for asp 0x56207e118f00 | > snmp_agent: REMOVE session == 0x56207e118f00 | > snmp_agent: agent_session 0x56207e118f00 released | > snmp_agent: processing delegated request, asp = 0x56207e11b540 | > snmp_agent: canceling next walk for asp 0x56207e11b540 | > snmp_agent: REMOVE session == 0x56207e11b540 | > snmp_agent: agent_session 0x56207e11b540 released | > snmp_agent: processing delegated request, asp = 0x56207e11bd00 | > snmp_agent: canceling next walk for asp 0x56207e11bd00 | > snmp_agent: REMOVE session == 0x56207e11bd00 | > snmp_agent: agent_session 0x56207e11bd00 released | > agentx/master: Continue removing delegated subsession reqests | > agentx/master: close transport | > snmp_agent: REMOVE session == 0x56207dfd5400 | > agentx/master: response too late on session 0x56207dfd5400 | > agentx/master: response too late on session 0x56207dfd5400 | > double free or corruption (fasttop) | > Aborted (core dumped) | > | > | > What's interesting, when I run it with -DALL it pass (at least for several | > rounds). | > It looks like some strange race condition. | > | > Regards | > | > Josef Ridky | > Software Engineer | > Core Services Team | > Red Hat Czech, s.r.o. | > | > ----- Original Message ----- | > | From: "Anders Wallin" <walli...@gmail.com> | > | To: "Josef Ridky" <jri...@redhat.com> | > | Cc: "net-snmp-coders" <net-snmp-coders@lists.sourceforge.net> | > | Sent: Tuesday, April 2, 2019 1:46:40 PM | > | Subject: Re: Core dump with net-snmp-5.8 | > | | > | Hi Josef, | > | | > | I think it's the same issue as | > https://sourceforge.net/p/net-snmp/bugs/2914/ | > | (where I also posted the solution) | > | Regards | > | Anders Wallin | > | | > | | > | On Tue, Apr 2, 2019 at 12:43 PM Josef Ridky <jri...@redhat.com> wrote: | > | | > | > Hi, | > | > | > | > recently, I have hit to an issue in net-snmp-5.8, that is connected to | > the | > | > bug report [1]. | > | > | > | > When I tried to run agentofdeath test from [1], snmpd daemon will crash | > | > with malloc(): smallbin double linked list corrupted or double free() | > issue | > | > and dumps core (see bellow). | > | > From log file, I can identified one issue with "Unknown operation". | > | > | > | > This issue is in the agentx_got_response function | > | > (agent/mibgroup/agentx/master.c). There isn't implemented action for | > | > NETSNMP_CALLBACK_OP_RESEND (defined in | > | > include/net-snmp/library/snmp_api.h). | > | > As result "Unknown operation 6 in agentx_got_response" is shown in log | > | > file. | > | > | > | > /var/log/messages | > | > ------------------------------- | > | > Mar 28 06:52:42 localhost snmpd[12073]: Unknown operation 6 in | > | > agentx_got_response | > | > Mar 28 06:52:43 localhost snmpd[12073]: Unknown operation 6 in | > | > agentx_got_response | > | > Mar 28 06:52:43 localhost snmpd[12073]: malloc(): smallbin double | > linked | > | > list corrupted | > | > Mar 28 06:52:43 localhost systemd[1]: Started Process Core Dump (PID | > | > 13652/UID 0). | > | > Mar 28 06:52:48 localhost systemd[1]: snmpd.service: Main process | > exited, | > | > code=dumped, status=6/ABRT | > | > Mar 28 06:52:48 localhost systemd[1]: snmpd.service: Failed with result | > | > 'core-dump'. | > | > ------------------------------- | > | > | > | > The "Unknown operation" callback is caused by newly added piece of | > code in | > | > snmplib/snmp_api.c: | > | > | > | > static int | > | > snmp_resend_request(struct session_list *slp, netsnmp_request_list | > *rp, | > | > int incr_retries) | > | > { | > | > | > | > ... | > | > | > | > tv.tv_sec += tv.tv_usec / 1000000L; | > | > tv.tv_usec %= 1000000L; | > | > rp->expireM = tv; | > | > + if (rp->callback) | > | > + rp->callback(NETSNMP_CALLBACK_OP_RESEND, sp, | > | > + rp->pdu->reqid, rp->pdu, rp->cb_data); | > | > } | > | > return 0; | > | > } | > | > | > | > | > | > When I tried to remove it, it just stop complaining about operation 6, | > but | > | > the core dump is still present. | > | > | > | > May I ask you for help with this issue? Do you have any idea, what | > causing | > | > this issue in 5.8 and how to fix it? | > | > I know, that Jan Safranek has fixed this for 5.7 by commit [2], but it | > | > looks like something other has changed and this issue is current again. | > | > | > | > [1] https://sourceforge.net/p/net-snmp/bugs/2411/ | > | > [2] | > | > | > https://github.com/net-snmp/net-snmp/commit/793d596838ff7cb48a73b675d62897c56c9e62df | > | > | > | > Regards | > | > | > | > Josef Ridky | > | > Software Engineer | > | > Core Services Team | > | > Red Hat Czech, s.r.o. | > | > | > | > | > | > | > | > _______________________________________________ | > | > Net-snmp-coders mailing list | > | > Net-snmp-coders@lists.sourceforge.net | > | > https://lists.sourceforge.net/lists/listinfo/net-snmp-coders | > | > | > | | > | _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders