Hello,

I installed net-snmp and net-snmp-utils today on a Fedora Core 6
machine through yum. This installed 5.3.1-15.fc6. I'm running into a
situation where I can reproduce segfaults through snmpwalk or
snmpbulkwalk. I'm requesting everything via a v2c request, specifying
the community string. This reliably chokes on the entry after 'TCP-
MIB::tcpOutRsts.0 = Counter32: 15565'. Here's what happens:

# snmpwalk -c community_string -v 2c 10.10.10.10 | wc -l
Timeout: No Response from 10.10.10.10
1267
#

/var/log/messages gives this:
Feb 29 17:52:14 cluster1 snmpd[20326]: NET-SNMP version 5.3.1
Feb 29 17:52:21 cluster1 snmpd[20326]: Connection from UDP:
[10.10.10.10]:32860
Feb 29 17:52:21 cluster1 snmpd[20326]: Received SNMP packet(s) from
UDP: [10.10.10.10]:32860
Feb 29 17:52:21 cluster1 snmpd[20326]: Connection from UDP:
[10.10.10.10]:32860
Feb 29 17:52:21 cluster1 last message repeated 452 times
Feb 29 17:52:21 cluster1 snmpd[20326]: ipSystemStatsTable node
ipSystemStatsOutFragOKs not implemented: skipping
Feb 29 17:52:21 cluster1 snmpd[20326]: ipSystemStatsTable node
ipSystemStatsOutFragOKs not implemented: skipping
Feb 29 17:52:21 cluster1 snmpd[20326]: Connection from UDP:
[10.10.10.10]:32860
Feb 29 17:52:22 cluster1 last message repeated 824 times
Feb 29 17:52:22 cluster1 kernel: snmpd[20326]: segfault at
00005575559cc9dc rip 00002aaaab6cdcd6 rsp 00007fff4d8647b0 error 6

Here's the backtrace:
Program received signal SIGSEGV, Segmentation fault.
---Type to continue, or q to quit---
[Switching to Thread 46912594396272 (LWP 29349)]
0x00002aaaab6cdcd6 in netsnmp_hex_to_binary () from

/usr/lib64/libnetsnmp.so.10
(gdb) bt
#0 0x00002aaaab6cdcd6 in netsnmp_hex_to_binary () from

/usr/lib64/libnetsnmp.so.10
#1 0x00002aaaaad6b348 in netsnmp_arch_tcpconn_container_load () from

/usr/lib64/libnetsnmpmibs.so.10
#2 0x00002aaaaad6ac47 in netsnmp_access_tcpconn_container_load ()
from

/usr/lib64/libnetsnmpmibs.so.10
#3 0x00002aaaaad6ede5 in tcpConnectionTable_container_load () from

/usr/lib64/libnetsnmpmibs.so.10
#4 0x00002aaaab25b2b4 in netsnmp_cache_timer_start () from

/usr/lib64/libnetsnmphelpers.so.10
#5 0x00002aaaab25ba00 in netsnmp_cache_helper_handler () from

/usr/lib64/libnetsnmphelpers.so.10
#6 0x00002aaaab0276ae in netsnmp_call_handler () from

/usr/lib64/libnetsnmpagent.so.10
#7 0x00002aaaab26ad44 in table_helper_handler () from

/usr/lib64/libnetsnmphelpers.so.10
#8 0x00002aaaab0276ae in netsnmp_call_handler () from

/usr/lib64/libnetsnmpagent.so.10
#9 0x00002aaaab01ac3f in handle_var_requests () from

/usr/lib64/libnetsnmpagent.so.10
#10 0x00002aaaab01bcc0 in handle_getnext_loop () from

/usr/lib64/libnetsnmpagent.so.10
#11 0x00002aaaab01d108 in netsnmp_handle_request () from

/usr/lib64/libnetsnmpagent.so.10
#12 0x00002aaaab01dce7 in handle_snmp_packet () from

/usr/lib64/libnetsnmpagent.so.10
#13 0x00002aaaab6b982a in snmpv3_parse () from /usr/lib64/
libnetsnmp.so.10
#14 0x00002aaaab6ba811 in _sess_read () from /usr/lib64/libnetsnmp.so.
10
#15 0x00002aaaab6bb279 in snmp_sess_read () from /usr/lib64/
libnetsnmp.so.10
#16 0x00002aaaab6bb2c3 in snmp_read () from /usr/lib64/libnetsnmp.so.
10
#17 0x000055555555912a in main () from /usr/sbin/snmpd


After getting this error repeatedly, I made v5.3.2 and v5.4.1 from
source and installed them. These would also both segfault, although
not in the same positions. Here's the gdb output from 5.4.1:
error on subcontainer 'ia_addr' insert (-1)
error on subcontainer '' insert (-1)
*** glibc detected *** /usr/sbin/snmpd: corrupted double-linked list:

0x00000000007af980 ***
======= Backtrace: =========
/lib64/libc.so.6[0x395be6cd57]
/lib64/libc.so.6[0x395be6e7a7]
/lib64/libc.so.6(cfree+0x8c)[0x395be7214c]
/usr/local/lib/libnetsnmp.so.15[0x2aaaab2b6335]
/usr/local/lib/libnetsnmpmibs.so.15(ipAddressTable_container_load
+0x5e)

[0x2aaaaafb6dbe]
/usr/local/lib/libnetsnmphelpers.so.15[0x2aaaaacf3414]
/usr/local/lib/libnetsnmp.so.15(run_alarms+0x59)[0x2aaaab2a0569]
/usr/sbin/snmpd(main+0xd8a)[0x4041ea]
/lib64/libc.so.6(__libc_start_main+0xf4)[0x395be1da44]
/usr/sbin/snmpd[0x403179]
======= Memory map: ========
00400000-00408000 r-xp 00000000 08:01
37715969

/usr/local/sbin/snmpd
00607000-00608000 rw-p 00007000 08:01
37715969

/usr/local/sbin/snmpd
00608000-007d0000 rw-p 00608000 00:00
0

[heap]
32fa000000-32fa10d000 r-xp 00000000 08:01
40054817

/usr/lib64/librpmdb-4.4.so
32fa10d000-32fa30c000 ---p 0010d000 08:01
40054817

/usr/lib64/librpmdb-4.4.so
32fa30c000-32fa313000 rw-p 0010c000 08:01
40054817

/usr/lib64/librpmdb-4.4.so
32fa313000-32fa314000 rw-p 32fa313000 00:00 0
32fa400000-32fa458000 r-xp 00000000 08:01
40052515

/usr/lib64/librpm-4.4.so
32fa458000-32fa657000 ---p 00058000 08:01
40052515

/usr/lib64/librpm-4.4.so
32fa657000-32fa65d000 rw-p 00057000 08:01
40052515

/usr/lib64/librpm-4.4.so
32fa65d000-32fa68f000 rw-p 32fa65d000 00:00 0
395ba00000-395ba1a000 r-xp 00000000 08:01
29556738

/lib64/ld-2.5.so
395bc19000-395bc1a000 r--p 00019000 08:01
29556738

/lib64/ld-2.5.so
395bc1a000-395bc1b000 rw-p 0001a000 08:01
29556738

/lib64/ld-2.5.so
395be00000-395bf44000 r-xp 00000000 08:01
29556741

/lib64/libc-2.5.so
395bf44000-395c144000 ---p 00144000 08:01
29556741

/lib64/libc-2.5.so
395c144000-395c148000 r--p 00144000 08:01
29556741

/lib64/libc-2.5.so
395c148000-395c149000 rw-p 00148000 08:01
29556741

/lib64/libc-2.5.so
395c149000-395c14e000 rw-p 395c149000 00:00 0
395c200000-395c282000 r-xp 00000000 08:01
29556772

/lib64/libm-2.5.so
395c282000-395c481000 ---p 00082000 08:01
29556772

/lib64/libm-2.5.so
395c481000-395c482000 r--p 00081000 08:01
29556772

/lib64/libm-2.5.so
395c482000-395c483000 rw-p 00082000 08:01
29556772

/lib64/libm-2.5.so
395c600000-395c603000 r-xp 00000000 08:01
29556762

/lib64/libdl-2.5.so
395c603000-395c802000 ---p 00003000 08:01
29556762

/lib64/libdl-2.5.so
395c802000-395c803000 r--p 00002000 08:01
29556762

/lib64/libdl-2.5.so
395c803000-395c804000 rw-p 00003000 08:01
29556762

/lib64/libdl-2.5.so
395ca00000-395ca14000 r-xp 00000000 08:01
40047047

/usr/lib64/libz.so.1.2.3
395ca14000-395cc13000 ---p 00014000 08:01
40047047

/usr/lib64/libz.so.1.2.3
395cc13000-395cc14000 rw-p 00013000 08:01
40047047

/usr/lib64/libz.so.1.2.3
395d200000-395d215000 r-xp 00000000 08:01
29556792

/lib64/libpthread-2.5.so
395d215000-395d414000 ---p 00015000 08:01
29556792

/lib64/libpthread-2.5.so
395d414000-395d415000 r--p 00014000 08:01
29556792

/lib64/libpthread-2.5.so
395d415000-395d416000 rw-p 00015000 08:01
29556792

/lib64/libpthread-2.5.so
395d416000-395d41a000 rw-p 395d416000 00:00 0
395d600000-395d72b000 r-xp 00000000 08:01
40239110

/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
395d72b000-395d92a000 ---p 0012b000 08:01
40239110

/usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/CORE/libperl.so
395d92a000-395d933000 rw-p 0012a000 08:01
40239110

/usr/lib64/perl5/5.8.8/x86_64-linux-thread-
Program received signal SIGABRT, Aborted.
[Switching to Thread 46912511800512 (LWP 16005)]
0x000000395be301b5 in raise () from /lib64/libc.so.6
(gdb) bt
#0 0x000000395be301b5 in raise () from /lib64/libc.so.6
#1 0x000000395be31b20 in abort () from /lib64/libc.so.6
#2 0x000000395be6766b in __libc_message () from /lib64/libc.so.6
#3 0x000000395be6cd57 in malloc_consolidate () from /lib64/libc.so.6
#4 0x000000395be6e7a7 in _int_free () from /lib64/libc.so.6
#5 0x000000395be7214c in free () from /lib64/libc.so.6
#6 0x00002aaaab2b6335 in _ba_for_each (container= out>, f=0x2aaaaafb6810 <_add_new_entry>, context=0x6fee20)
at container_binary_array.c:342
#7 0x00002aaaaafb6dbe in ipAddressTable_container_load
(container=0x6fee20) at ip-mib/ipAddressTable/
ipAddressTable_data_access.c:355
#8 0x00002aaaaacf3414 in _cache_load (cache=0x6fedb0) at
cache_handler.c:537
#9 0x00002aaaab2a0569 in run_alarms () at snmp_alarm.c:252
#10 0x00000000004041ea in main (argc=,
argv=) at snmpd.c:1210

I've upgraded the entire system through yum in case something was out
of sync, but to no avail. Has anyone else run into problems on Fedora
Core 6?

--
Thanks,
Joseph Vajda