[quagga-dev 4412] Re: more 64 bit issues in smux

Pierre-Yves Ritschard pierre-yves at spootnik.org
Wed Sep 27 15:53:43 BST 2006

> Hi list,
> There's more 64 issues laying around in the smux code.
> I found one but cannot get to the bottom of it, so I'm posting some
> thoughts here in case someone finds a solution quickier than me:
> In smux_trap, a call to smux_get is issued, right here:
> Line 1097:
>>      ret = smux_get (oid, &oid_len, 1, &val_type, &val, &val_len);
>>      if (debug_smux)
>>        zlog_debug ("smux_get result %d", ret);
> In this call, the variable array in subtree is traversed, calling the
> FindVarMethod for each variable, like this:
> Line 514:
>>  for (ALL_LIST_ELEMENTS (treelist, node, nnode,subtree))
>>    {
>>      subresult = oid_compare_part (reqid, *reqid_len,
>>                                    subtree->name, subtree->name_len);
>> [...]
>>                  *val = (*v->findVar) (v, suffix, &suffix_len, exact,
>>                                        val_len, &write_method);
> In this call, val_len which is a "size_t *" is sometimes set to 4, But the
> actual code is in net-snmp. This is wrong and the resulting code breaks
> since sizeof(long) is 8 on my system. Subsequent asn_build_ calls will
> then break and return NULL, the pointers will be dereferenced later on and
> crash ospfd.
> I can't get to see if the calling code is responsible for this return or
> the net-snmp code.
> Any ideas ?
> P.S: error checks for NULL returns are missing everywhere in the code ? is
> this on purpose, if not, I could submit a patch fixing that if I get some
> pointers on what to do in the case of error returns (silently logging,
> terminating the SMUX agent, ...)
Ok the problem comes from libsnmp as it would seem, the function
smux_parse which is called through the FindVarMethod function pointer in
smux_get (which is itself called from smux_trap).
Anyhow sometimes this functions which is supposed to return a value, a
type and a length for this value returns a length of 4 for ASN_INTEGERS
(which as they are longs in the snmp sense should be 8).

The attached patch is a fix for this, but does not solve the root of the
problem, which I'm still looking for.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: quagga_lib_smux2.diff
Type: application/octet-stream
Size: 906 bytes
Desc: not available
URL: <http://lists.quagga.net/pipermail/quagga-dev/attachments/20060927/f3dfacf3/attachment-0001.obj>

More information about the Quagga-dev mailing list