Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 154014 - tc segfaults when parsing some erronous parameters
Summary: tc segfaults when parsing some erronous parameters
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: iproute
Version: 4.0
Hardware: i386
OS: Linux
Target Milestone: ---
: ---
Assignee: Radek Vokal
QA Contact: Brock Organ
: 200651 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2005-04-06 15:51 UTC by Christophe GRENIER
Modified: 2007-11-30 22:07 UTC (History)
4 users (show)

Fixed In Version: RHBA-2007-0184
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-05-01 17:19:17 UTC
Target Upstream Version:

Attachments (Terms of Use)
structures.patch (deleted)
2006-07-31 13:19 UTC, Radek Vokal
no flags Details | Diff

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0184 normal SHIPPED_LIVE iproute bug fix update 2007-05-01 17:19:15 UTC

Description Christophe GRENIER 2005-04-06 15:51:34 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050323 Firefox/1.0.2 Fedora/1.0.2-1.3.1

Description of problem:
tc segfaults when parsing some erronous parameters

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. tc qdisc add dev eth0 handle ffff: police rate 1kbit

Actual Results:  gdb tc
(gdb) set args qdisc add dev eth0 handle ffff: police rate 1kbit
(gdb) r
Starting program: /sbin/tc qdisc add dev eth0 handle ffff: police rate 1kbit

Program received signal SIGSEGV, Segmentation fault.
0x00006563 in ?? ()
(gdb) bt full
#0  0x00006563 in ?? ()
No symbol table info available.
#1  0x0804b65f in tc_qdisc_modify (cmd=0, flags=1536, argc=2, argv=0xbfff7094) at tc_qdisc.c:130
        handle = 4294901760
        rth = {fd = 0, local = {nl_family = 27708, nl_pad = 49151, nl_pid = 5922819, nl_groups = 164458504}, peer = {
    nl_family = 53236, nl_pad = 102, nl_pid = 6744064, nl_groups = 164458504}, seq = 3221187672, dump = 5933818}
        q = (struct qdisc_util *) 0x8063220
        est = {interval = 0 '\0', ewma_log = 0 '\0'}
        d = "eth0", '\0' <repeats 11 times>
        k = "police\000\000\000\000\000\000\000\000\000"
        req = {n = {nlmsg_len = 47, nlmsg_type = 36, nlmsg_flags = 1537, nlmsg_seq = 0, nlmsg_pid = 0}, t = {
    tcm_family = 0 '\0', tcm__pad1 = 0 '\0', tcm__pad2 = 0, tcm_ifindex = 0, tcm_handle = 4294901760, tcm_parent = 0,
    tcm_info = 0}, buf = "\v\000\001\000police", '\0' <repeats 65525 times>}
#2  0x0804c0d1 in do_qdisc (argc=8, argv=0xbfff707c) at tc_qdisc.c:359
No locals.
#3  0x0804b0bd in main (argc=10, argv=0xbfff7074) at tc.c:288
        batch = (FILE *) 0xbfff7074
        largc = -1073778572

Expected Results:  There must be an error message about the missing parameters

Additional info:

Comment 1 Radek Vokal 2005-04-07 10:37:06 UTC
I've just managed to close those 15 empty bugs you've submited to me....

Which kernel are you currently using? I've never played with queueing policy, so
I'm not sure how can I reproduce it. When calling your step I get an error message

Unknown qdisc "police", hence option "rate" is unparsable 

Which seems like a correct error message to me. Or do I need to specify "police"
somehow before doing this step?

Comment 2 Christophe GRENIER 2005-04-07 11:10:36 UTC
Sorry for the empty bug reports but bugzilla send an error 500. I had to remove
some stuff from gdb output to get the message accepted.

It seems you got the correct error message
I have been able to reproduce the bug on 3 servers
- kernel-2.6.10-1.770_FC3 glibc-2.3.4-2.fc3
- kernel-2.6.10-1.770_FC3 glibc-2.3.4-10
- kernel-2.6.9-1.724_FC3 glibc-2.3.4-2.fc3
There is no prior configuration to setup, you don't even need to have a valid
interface or to be root.
sh-3.00$ /sbin/tc qdisc add dev fakedev handle ffff: police rate 1kbit
Segmentation fault

Old version iproute-2.4.7-7.90.1 (RH9) and iproute-2.4.7-14 (FC2) are not affected
/sbin/tc qdisc add dev fakedev handle ffff: police rate 1kbit
Unknown qdisc "police", hence option "rate" is unparsable

Comment 3 Radek Vokal 2005-04-07 11:22:15 UTC
Ok, I've managed to reproduce this bug on a RHEL4 system. My machine doesn't
seem to be affected and also new version of iproute doesn't have this issue. Can
you also please try the latest iproute from devel branch? (iproute-2.6.11-2)

Comment 4 Christophe GRENIER 2005-04-07 12:28:01 UTC
Only version 2.6.11-1 is avaible at
I have rebuild it under FC3, version 2.6.11-1 is not affected by this bug

Comment 5 Radek Vokal 2005-04-11 06:57:15 UTC
I'm moving this bugzilla to RHEL4. 

Comment 7 Rik van Riel 2006-07-30 00:14:49 UTC
The patch iproute2-2.6.9-tc.patch that is in the U4 beta breaks tc when using it
for traffic shaping with the popular wshaper script. This will need to be fixed
before U4 can ship.

Comment 8 Rik van Riel 2006-07-30 00:15:28 UTC
*** Bug 200651 has been marked as a duplicate of this bug. ***

Comment 14 Radek Vokal 2006-07-31 13:19:55 UTC
Created attachment 133318 [details]

Proposed patch for this issue.

Comment 15 Radek Vokal 2006-07-31 13:30:58 UTC
Comment on attachment 133318 [details]

>-	table = calloc(sizeof(double), TABLESIZE);
>+	table = calloc(TABLESIZE+1, sizeof(double));

Small change in previous attachment

Comment 21 Red Hat Bugzilla 2007-05-01 17:19:17 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.