[quagga-dev 3955] snmpwalk ospfd crash (Bug 204)

Rolf Kistler rolf.kistler at ascom.ch
Wed Feb 22 11:16:23 GMT 2006


I have a remark concerning the bug 204
(http://bugzilla.quagga.net/show_bug.cgi?id=204), which still seems to be
unconfirmed in Bugzilla. We also experienced this crash using the latest
stable version of Quagga (0.98.5) and Net-SNMP 5.2.1.

The crash resulted out of a LSDB table lookup with an illegal type:

ospf_lsdb.c:ospf_lsdb_lookup_by_id_next (line 240):

table = lsdb->type[type].db;  // Signal 11, segmentation fault due to
illegal type

After taking the latest unstable version (0.99.3, in 0.99.2 the ospfd
daemon does not compile) the daemon crash disappeared (thank to the type
check made by Mr. Ritoux in ospf_snmp.c). However, now I got the message "
Strange request with LSA type x" for requests to the OSPF-MIB groups
"ospfAreaTable", "ospfStubAreaTable" and "ospfLsdbTable". I was still
unable to read out data from the LSDB table.

Finally I made a small patch on 0.98.5  that worked for us so far (tests
still ongoing). The changes were:

1. We wanted to use the stable version, so I merged the new ospf snmp files
from 0.99.3 with 0.98.5.
2. In function: "ospfLsdbLookup" I changed "len" from "unsigned int" to

-  unsigned int len;
+  int len;

The problem is, that the value of this variable really gets negative in for
our snmpwald requests. Further, there are statements in the code, which
check for the sign of "len". Unfortunately, those statements never become
true and we always ended up with a wrong value for "type". Here is an
excerpt out of "ospfLsdbLookup" (please look at the REMARKs).

      /* Get variable length. */
      offset = name + v->namelen;                                  //
REMARK: In our request from Net-SNMP no valid data comes after "name"
      offsetlen = *length - v->namelen;                           //
REMARK: Results in "0" for our request
      len = offsetlen;

      if (len > IN_ADDR_SIZE)
        len = IN_ADDR_SIZE;

      oid2in_addr (offset, len, area_id);

      /* First we search area. */
      if (len == IN_ADDR_SIZE)
        area = ospf_area_lookup_by_area_id (ospf, *area_id);
        area = ospf_area_lookup_next (ospf, area_id, len == 0 ? 1 : 0);

      if (area == NULL)
        return NULL;

          /* Next we lookup type. */
          offset += IN_ADDR_SIZE;
          offsetlen -= IN_ADDR_SIZE;
// REMARK: Gets negative
          len = offsetlen;

          if (len <= 0)                                 // REMARK: Never
true if "len" negative but declared as "unsigned int"
            type_next = 1;
              len = 1;
              type_next = 0;
              *type = *offset;                    // REMARK: This will lead
to a illegal value for "type" as there is no reasonable value at "offset".

          /* LS ID. */

There are also other locations in the code where "len" is declared as
"unsigned int" but should be treated as "signed". What I still do not know
is whether its really a bug or just some misusage on my side (I am quite
new to Quagga and SNMP I have to admit).

As we evaluated quagga to be used in a bigger software project (its a fine
piece of software) and need strong OSPF SNMP support, any information on
this topic is greatly appreaciated.

Many thanks.

Rolf Kistler

Applicable Research & Technology

mailto:rolf.kistler at ascom.ch
Phone +41 62 889 59 08
Fax +41 62 889 52 90

Ascom (Schweiz) AG
CH-5506 Mägenwil

More information about the Quagga-dev mailing list