Hello,

Can we just add something like AGENTX_MSG_FLAG_DISCONNECT_IN_PROGRESS
in close_agents_session() ?

   sesssion->subsession->flags = AGENTX_MSG_FLAG_DISCONNECT_IN_PROGRESS;

So that later in agentx_master_handler() we can check
 ax_session->subsession->flags so we can check this:

   if (!(ax_session->subsession->flags &
AGENTX_MSG_FLAG_DISCONNECT_IN_PROGRESS)) {
       cb_data = NULL;
   }

And we do not have the double free at the end.

Thanks,
Sam

On Wed, Jun 26, 2019 at 2:42 PM Sam Tannous <stann...@cumulusnetworks.com>
wrote:

> Bill, Bart,
>
> Shouldn't there be a check (netsnmp_handler_check_cache)
> just before snmp_async_send to make sure the cb_data is still
> valid (or that the session hasn't been disconnected)?
>
> I'm assuming (with good evidence) that our subagent
> session was disconnected (our subagent has a problem)
> and something was freed...and we attempt to free cb_data
> again and core dump.  So at the bottom of agentx_got_response():
>
>
>     /*
>      * When the master sends a CleanupSet PDU, it will never get a response
>      * back from the subagent. So we shouldn't allocate the
>      * netsnmp_delegated_cache structure in this case.
>      */
>     if (pdu->command != AGENTX_MSG_CLEANUPSET)
>         cb_data = netsnmp_create_delegated_cache(handler, reginfo,
>                                                  reqinfo, requests,
>                                                  (void *) ax_session);
>     else
>         cb_data = NULL;
>
>
> */* some checks */*
>
>
>
>
>
>
>
>
> * cache = netsnmp_handler_check_cache(cb_data);    if (!cache) {
> DEBUGMSGTL(("agentx/master", "session may be disconnected %8p\n",
>           session));        /* response is too late, perhaps session was
> disconnected? */        if (cb_data)
> netsnmp_free_delegated_cache((netsnmp_delegated_cache*) magic);
> return 1;    }*
> */* end checks */*
>
>    /*
>      * send the requests out.
>      */
>     DEBUGMSGTL(("agentx/master", "sending pdu
> (req=0x%x,trans=0x%x,sess=0x%x)\n",
>                 (unsigned)pdu->reqid, (unsigned)pdu->transid,
> (unsigned)pdu->sessid));
>
>    result = snmp_async_send(ax_session, pdu, agentx_got_response, cb_data);
>     if (result == 0) {
>         snmp_free_pdu(pdu);
>         if (cb_data)
>             netsnmp_free_delegated_cache((netsnmp_delegated_cache*)
> cb_data);
>     }
>
>     return SNMP_ERR_NOERROR;
>
> --Sam
>
> On Tue, Jun 25, 2019 at 3:38 PM Sam Tannous <stann...@cumulusnetworks.com>
> wrote:
>
>>
>> I'm still not able to recreate this bug (#2943) where we
>> double free cb_data at the bottom of agentx_master_handler()
>> (with the netsnmp_free_delegated_cache()).
>>
>> Just in looking at the code logic, it seems like we allocate
>> the netsnmp_delegated_cache structure only if the master
>> sent a CleanupSet PDU.   In the case I'm looking at, I can
>> see the master has already disconnected the subagent:
>>
>> bgpd[5180]: snmp[info]: AgentX master disconnected us, reconnecting in 15
>> ip[8042]: *** Error in `/usr/sbin/snmpd': double free or corruption
>> (fasttop): 0x0000000001d15420 ***
>> zebra[21794]: snmp[info]: AgentX master disconnected us, reconnecting in
>> 15
>>
>> So when this happens, the master attempts to close_agentx_session().
>> My best guess (without being able to recreate this) is that this structure
>> is freed here first.   Is it possible to somehow protect the session
>> (and all subsessions) from being freed if there the master is in the
>> process
>> of allocating  netsnmp_delegated_cache?
>>
>> Can we set something like AGENTX_MSG_CLEANUPSET if we have
>> disconnected (or timed out) any/all subagents?  This is just to prevent
>> the
>> double free that happens at the end of agentx_master_handler().
>>
>> Thanks,
>> Sam
>>
>>
>>
>>
>
>

-- 
*Sam Tannous*
Engineering
Cumulus Networks®
+1 650 383 6700 x 1106
<http://www.cumulusnetworks,com>www.cumulusnetworks.com

Evaluate Cumulus® Linux®
https://cumulusnetworks.com/product/secure/evaluate/

Become a Partner
http://cumulusnetworks.com/partners/become-a-partner/
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Reply via email to