[quagga-dev 4400] Segfault in lib/smux.c

Pierre-Yves Ritschard pierre-yves at spootnik.org
Tue Sep 26 09:11:48 BST 2006


Hi,

We are using quagga-0.99.5 on amd64 linux boxes.
When trying to bind quagga to snmpd thru the smux peer configuration
option we ran in a segfault in ospfd.

The ospfd log says:
OSPF: Received signal 11 at 1159201300 (si_addr 0x0); aborting...

Using additionnal zlog's I tracked it down to the smux_trap call in
ospf_snmp.c at line 2578 in ospfTrapNbrStateChange().

>  smux_trap (ospf_oid, sizeof ospf_oid / sizeof (oid),
>             index,  IN_ADDR_SIZE + 1,
>             ospfNbrTrapList,
>             sizeof ospfNbrTrapList / sizeof (struct trap_object),
>             time (NULL), NBRSTATECHANGE);

Now in smux_trap(), I found a call to asn_build_sequence with a NULL
pointer which is the cause of the crash in smux.c at line 1051.

>  ptr = asn_build_sequence (ptr, &len,
>                            (u_char) (ASN_SEQUENCE | ASN_CONSTRUCTOR),
>                            0);

I'm trying to see why a NULL pointer is passed here, but thought this
might be precise enough so you guys could see what is going on too.
If you have any idea for a fix, we'd be grateful.

Some more detail:
The ptr pointer (which is a pointer to the asn buffer) becomes NULL
after this:

>  /* Generic trap integer. */
>  val = SNMP_TRAP_ENTERPRISESPECIFIC;
>  ptr = asn_build_int (ptr, &len,
>                    (u_char)(ASN_UNIVERSAL | ASN_PRIMITIVE | ASN_INTEGER),
>                    &val, sizeof (int));

It looks like it is related to the size of ints snmp wise and system
wise.




More information about the Quagga-dev mailing list