[Pkg-net-snmp-devel] snmpd crashed after some time

Dr. Tilo Levante tilo at levante.de
Sun Nov 5 21:13:31 CET 2006 

Hi net-snmp team,

I have a similar bug as #388190.
I use snmpd (5.2.3-2) on two servers with a ppp daemon. After some time, 
it just stops working (no message in the log file).

After some playing, I could reproduce the error (using openvpn to create 
an additional interface) and got the following result from gdb:

ioctl 35091 returned -1
ioctl 35105 returned -1
netsnmp_assert __extension__ ({ size_t __s1_len, __s2_len; 
(__builtin_constant_p (rowreq_ctx->data.ifentry->name) && 
__builtin_constant_p (ifentry->name) && (__s1_len = strlen 
(rowreq_ctx->data.ifentry->name), __s2_len = strlen (ifentry->name), 
(!((size_t)(const void *)((rowreq_ctx->data.ifentry->name) + 1) - 
(size_t)(const void *)(rowreq_ctx->data.ifentry->name) == 1) || __s1_len 
 >= 4) && (!((size_t)(const void *)((ifentry->name) + 1) - 
(size_t)(const void *)(ifentry->name) == 1) || __s2_len >= 4)) ? 
__builtin_strcmp (rowreq_ctx->data.ifentry->name, ifentry->name) : 
(__builtin_constant_p (rowreq_ctx->data.ifentry->name) && 
((size_t)(const void *)((rowreq_ctx->data.ifentry->name) + 1) - 
(size_t)(const void *)(rowreq_ctx->data.ifentry->name) == 1) && 
(__s1_len = strlen (rowreq_ctx->data.ifentry->name), __s1_len < 4) ? 
(__builtin_constant_p (ifentry->name) && ((size_t)(const void 
*)((ifentry->name) + 1) - (size_t)(const void *)(ifentry->name) == 1) ? 
__builtin_strcmp (rowreq_ctx->data.ifentry->name, ifentry->name) : 
(__extension__ ({ __const unsigned char *__s2 = (__const unsigned char 
*) (__const char *) (ifentry->name); register int __result = (((__const 
unsigned char *) (__const char *) (rowreq_ctx->data.ifentry->name))[0] - 
__s2[0]); if (__s1_len > 0 && __result == 0) { __result = (((__const 
unsigned char *) (__const char *) (rowreq_ctx->data.ifentry->name))[1] - 
__s2[1]); if (__s1_len > 1 && __result == 0) { __result = (((__const 
unsigned char *) (__const char *) (rowreq_ctx->data.ifentry->name))[2] - 
__s2[2]); if (__s1_len > 2 && __result == 0) __result = (((__const 
unsigned char *) (__const char *) (rowreq_ctx->data.ifentry->name))[3] - 
__s2[3]); } } __result; }))) : (__builtin_constant_p (ifentry->name) && 
((size_t)(const void *)((ifentry->name) + 1) - (size_t)(const void 
*)(ifentry->name) == 1) && (__s2_len = strlen (ifentry->name), __s2_len 
< 4) ? (__builtin_constant_p (rowreq_ctx->data.ifentry->name) && 
((size_t)(const void *)((rowreq_ctx->data.ifentry->name) + 1) - 
(size_t)(const void *)(rowreq_ctx->data.ifentry->name) == 1) ? 
__builtin_strcmp (rowreq_ctx->data.ifentry->name, ifentry->name) : 
(__extension__ ({ __const unsigned char *__s1 = (__const unsigned char 
*) (__const char *) (rowreq_ctx->data.ifentry->name); register int 
__result = __s1[0] - ((__const unsigned char *) (__const char *) 
(ifentry->name))[0]; if (__s2_len > 0 && __result == 0) { __result = 
(__s1[1] - ((__const unsigned char *) (__const char *) 
(ifentry->name))[1]); if (__s2_len > 1 && __result == 0) { __result = 
(__s1[2] - ((__const unsigned char *) (__const char *) 
(ifentry->name))[2]); if (__s2_len > 2 && __result == 0) __result = 
(__s1[3] - ((__const unsigned char *) (__const char *) 
(ifentry->name))[3]); } } __result; }))) : __builtin_strcmp 
(rowreq_ctx->data.ifentry->name, ifentry->name)))); }) == 0 failed 
if-mib/ifTable/ifTable_data_access.c:207 
_check_interface_entry_for_updates()
*** glibc detected *** free(): invalid pointer: 0x0813f838 ***

Program received signal SIGABRT, Aborted.
0xb7bff947 in raise () from /lib/tls/libc.so.6
(gdb) where
#0  0xb7bff947 in raise () from /lib/tls/libc.so.6
#1  0xb7c010c9 in abort () from /lib/tls/libc.so.6
#2  0xb7c34fda in __fsetlocking () from /lib/tls/libc.so.6
#3  0xb7c3c89f in mallopt () from /lib/tls/libc.so.6
#4  0xb7c3c942 in free () from /lib/tls/libc.so.6
#5  0xb7f1982b in netsnmp_access_interface_entry_free () from 
/usr/lib/libnetsnmpmibs.so.10
#6  0xb7f1edc7 in ifTable_container_init () from 
/usr/lib/libnetsnmpmibs.so.10
#7  0xb7dda634 in netsnmp_binary_array_get_subset () from 
/usr/lib/libnetsnmp.so.10
#8  0xb7f1f4da in ifTable_container_load () from 
/usr/lib/libnetsnmpmibs.so.10
#9  0xb7f1df32 in _mfd_ifTable_undo_setup_release () from 
/usr/lib/libnetsnmpmibs.so.10
#10 0xb7e1bc08 in netsnmp_is_cache_valid () from 
/usr/lib/libnetsnmphelpers.so.10
#11 0xb7dbd346 in run_alarms () from /usr/lib/libnetsnmp.so.10
#12 0x0804aa6a in SnmpdCatchRandomSignal ()
#13 0xb7bebea8 in __libc_start_main () from /lib/tls/libc.so.6
#14 0x08049ca1 in ?? ()


I was not able to reproduce it a second time.

What i did:
   gdb snmpd
   run -f  -u snmp -I -smux -p /var/run/snmpd.pid 192.168.100.99

in a second windows
   openvpn --remote www.levante.de --dev tun4 \
     --ifconfig 99.99.99.99 99.99.99.100
   (ctrl c and start again, with tun5, tun6, tun4, ...)

in a third window
   for (( i=1;i<200000;i++)) ; do snmpwalk -Os  \
     -c public -v 1 192.168.100.99 ifDescr ; done




assumption -> problems with malloc

I tried dmalloc and rebulded the package
   with --with-dmalloc
   with -g
   and without dh_strip

Result:
   No crash!
   But:
ifDescr.1 = STRING: eth0
ifDescr.2 = STRING: eth1
ifDescr.3 = STRING: eth2
ifDescr.4 = STRING: lo
ifDescr.5 = STRING: ppp0
ifDescr.6 = STRING: tun0
ifDescr.7 = STRING: tun4
ifDescr.10 = STRING: tun4
ifDescr.68 = STRING: tun4
ifDescr.103 = STRING: tun4
ifDescr.125 = STRING: tun4
ifDescr.126 = STRING: tun5
ifDescr.131 = STRING: tun5

(Here is the dmalloc report:
1162681289: 17759: Dmalloc version '5.4.2' from 'http://dmalloc.com/'
1162681289: 17759: flags = 0x4f48503, logfile '/root/logfile'
1162681289: 17759: interval = 100, addr = 0, seen # = 0, limit = 0
1162681289: 17759: threads enabled, lock-on = 0, lock-init = 2
1162681289: 17759: starting time = 1162681288
1162681289: 17759: process pid = 6854
1162681289: 17759: WARNING: tried to free(0) from 'ra=0xb7b5834c'
1162681289: 18493: WARNING: tried to free(0) from 'ra=0xb7af7407'
is running, so no summary
)

As you can see, the interfaces are reported several times (this did not 
happen with the original version)

Maybe someone has an idea, how to fix this?
I try to find the reason, but have a little bit limited time at the moment.

Greetings

tilo


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3491 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/attachments/20061105/f16d6653/smime.bin

More information about the Pkg-net-snmp-devel mailing list