Hi Experts, Could you please shed some light on this.
Our Dev engineer had analyzed the cores files using the unstripped snmpd binary. >From the core analysis, we can see both the crashes happened due to memory >corruption in snmp. Attached the core backtrace logs for reference. Could you please help in this regard. CORE1: /net-snmp/5.7.3-r5.0/net-snmp-5.7.3/agent/mibgroup/ip-mib/data_access/systemstats_linux.c /* * try to open /proc/net/dev_snmp6 directory. If we can't, that' ok - * maybe it is not supported by the current running kernel. */ if ((dev_snmp6_dir = opendir(DEV_SNMP6_DIRNAME)) == NULL) { <<< opendir uses malloc(0 to allocate memory and it is crashing DEBUGMSGTL(("access:ifstats", "Failed to load IPv6 IfStats Table (linux)\n")); return 0; } CORE2: /net-snmp/5.7.3-r5.0/net-snmp-5.7.3/snmplib/snmp_api.c /* * snmp_duplicate_objid: duplicates (mallocs) an objid based on the * input objid */ oid * snmp_duplicate_objid(const oid * objToCopy, size_t objToCopyLen) { oid *returnOid; if (objToCopy != NULL && objToCopyLen != 0) { returnOid = (oid *) malloc(objToCopyLen * sizeof(oid)); <<< Failing in malloc corruption if (returnOid) { memcpy(returnOid, objToCopy, objToCopyLen * sizeof(oid)); } } else returnOid = NULL; return returnOid; } Thanks, Kiran From: Kiran Kumar Pamula Sent: 12 November 2019 14:23 To: net-snmp-users@lists.sourceforge.net<mailto:net-snmp-users@lists.sourceforge.net> Subject: Crash at Net-snmp due to corrupted double-linked list Hi Net-snmp team, We are using Net-snmp 5.7.3 in our product and our customer has reported the below crash recently, although it was never hit in our internal tests. Could you please confirm if this is any known issue and if a patch is available for the same. [New LWP 31070] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/sbin/snmpd -f -Lsd -M+/sw/unicorn/snmp/mibs -Dtrap -Dusm -Dinit_mibs -I-sy'. Program terminated with signal 6, Aborted. #0 0x00007fc49e726f57 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:63 #0 0x00007fc49e726f57 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:63 resultvar = 0 pid = 31070 selftid = 31070 #1 0x00007fc49e728418 in __GI_abort () at abort.c:90 save_stage = 2 act = {__sigaction_handler = {sa_handler = 0x7ffdf25156ea, sa_sigaction = 0x7ffdf25156ea}, sa_mask = {__val = {6, 140482449860288, 2, 140728668870398, 2, 140482449851372, 1, 140482449860284, 3, 140728668870372, 12, 140482449860288, 2, 140728668871184, 15, 140728668872944}}, sa_flags = 93, sa_restorer = 0x7} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007fc49e764e3b in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fc49e8588a0 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:197 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7ffdf2516100, reg_save_area = 0x7ffdf2516010}} ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7ffdf2516100, reg_save_area = 0x7ffdf2516010}} fd = 2 on_2 = <optimized out> list = <optimized out> nlist = <optimized out> cp = <optimized out> written = <optimized out> #3 0x00007fc49e76a9be in malloc_printerr (ptr=<optimized out>, str=0x7fc49e855129 "corrupted double-linked list", action=3, ar_ptr=<optimized out>) at malloc.c:4855 buf = "00000000009cf690" cp = <optimized out> #4 malloc_printerr (action=3, str=0x7fc49e855129 "corrupted double-linked list", ptr=<optimized out>, ar_ptr=<optimized out>) at malloc.c:4836 No locals. #5 0x00007fc49e76abc3 in malloc_consolidate (av=av@entry=0x7fc49ea93660 <main_arena>) at malloc.c:4078 fb = <optimized out> maxfb = 0x7fc49ea936b0 <main_arena+80> p = 0x9cf690 nextp = 0x9cd1d0 unsorted_bin = 0x7fc49ea936b8 <main_arena+88> first_unsorted = <optimized out> nextchunk = 0x9cf8d0 size = 576 nextsize = 128 prevsize = <optimized out> nextinuse = <optimized out> bck = <optimized out> fwd = <optimized out> #6 0x00007fc49e76cb78 in _int_malloc (av=0x7fc49ea93660 <main_arena>, bytes=32816) at malloc.c:3374 nb = 32832 idx = <optimized out> bin = <optimized out> victim = <optimized out> size = <optimized out> victim_index = <optimized out> remainder = <optimized out> remainder_size = <optimized out> block = <optimized out> bit = <optimized out> map = <optimized out> fwd = <optimized out> bck = <optimized out> errstr = 0x0 __func__ = "_int_malloc" #7 0x00007fc49e76e1ac in __GI___libc_malloc (bytes=32816) at malloc.c:2874 ar_ptr = 0x7fc49ea93660 <main_arena> victim = 0x6 __func__ = "__libc_malloc" #8 0x00007fc49e7a5caa in __alloc_dir (fd=14, close_fd=<optimized out>, flags=<optimized out>, statp=<optimized out>) at ../sysdeps/unix/opendir.c:199 default_allocation = 32768 small_allocation = 8192 allocation = 32768 dirp = <optimized out> #9 0x00007fc4a0018666 in ?? () from /usr/lib64/libnetsnmpmibs.so.30 No symbol table info available. #10 0x00007fc4a0018a00 in netsnmp_access_systemstats_container_arch_load () from /usr/lib64/libnetsnmpmibs.so.30 No symbol table info available. #11 0x00007fc4a0015ec7 in netsnmp_access_systemstats_container_load () from /usr/lib64/libnetsnmpmibs.so.30 No symbol table info available. #12 0x00007fc49ffeeabe in ipIfStatsTable_container_load () from /usr/lib64/libnetsnmpmibs.so.30 No symbol table info available. #13 0x00007fc4a03d6100 in ?? () from /usr/lib64/libnetsnmpagent.so.30 No symbol table info available. #14 0x00007fc49fcd0357 in run_alarms () from /usr/lib64/libnetsnmp.so.30 No symbol table info available. #15 0x0000000000403d85 in ?? () No symbol table info available. #16 0x00007fc49e713865 in __libc_start_main (main=0x4028f0, argc=20, ubp_av=0x7ffdf2516b88, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffdf2516b78) at libc-start.c:274 result = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -764479061368474344, 4212360, 140728668875648, 0, 0, 765580028292920600, 787350082089547032}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x404950, 0x7ffdf2516b88}, data = {prev = 0x0, cleanup = 0x0, canceltype = 4213072}}} not_first_call = <optimized out> #17 0x00000000004046b1 in ?? () No symbol table info available. Thanks, Kiran
_______________________________________________ Net-snmp-users mailing list Net-snmp-users@lists.sourceforge.net Please see the following page to unsubscribe or change other options: https://lists.sourceforge.net/lists/listinfo/net-snmp-users