[rancid] problem with new Aruba/HP 2920

Doug Hughes doug.hughes at keystonenap.com
Sat Jan 27 16:37:17 UTC 2018



On 1/27/2018 11:23 AM, heasley wrote:
> Sat, Jan 27, 2018 at 10:57:56AM -0500, Doug Hughes:
>> got a new HP/Aruba 2920 to replace an old failed 2910al (POE power
>> supply failure - very common).. Weird thing is, hlogin doesn't work on
>> it. I get an EOF right after trying to send enable and it tries to match
>> the many stupid formatting characters that the Aruba folks have tried to
>> put into the output.
>>
>> I have manually set the switch to vt100 terminal type and reloaded, but
>> still it persists and it's loaded with those characters. I can't say
>> definitively that they are the issue, but something sure is strange. I
>> started looking into it and debugging and noticed all that. Also, clogin
>> seems to work (aside from command incompatibility), but hlogin does not
>> and gets an EOF prematurely.
>>
>> Anybody seen this?
> I havent any of these.  Have one that I can poke remotely?  else, collect
> debug info from hlogin -d -c ... devicename

since my post I have tracked it down to a segfault in hpuifilter.

as soon as I type (or rancid sends) enable, it crashes in an memmove
here:
420                     tlen = 0;
421                     tbuf[0] = '\0';
422                     break;
423                 } else if (bytes > 0) {
424                     tlen -= bytes;
425                     memmove(tbuf, tbuf + bytes, tlen + 1);
426                     if (tlen < 1)
427                         pfds[1].events &= ~POLLOUT;
428                 }
429             }
(gdb)
(gdb) display tbuf
4: tbuf =
"h\000[24;1H\000[24;1H\000[24;1H\000[24;1H\000[24;1H\000\033[24;1H\000[24;1H\000\062\064;1H\000[24;1H\000[24;1H\000;1H\000;17H\000\062\064;17H\000\062\064;17H\000\062\064;17H\000\062\064;17H\000\062\064;17H\000\062\064;17H\000[24;17H\000\062\064;17H\000\064;17H\000\062\064;17H\000\062\064;17H\000\061\067H\000\061\067H\000tandard
commercial license.\r\n\r\n\000ns"...
(gdb) display bytes
5: bytes = -556149
(gdb) display len
No symbol "len" in current context.
(gdb) display tlen
6: tlen = 936748722493063168
(gdb)

somehow tlen get really, really big and that causes a wraparound which
results in a negative size of bytes which causes memmove to segfault in
hpuifilter.

I'm trying to debug to see what I can see .


More information about the Rancid-discuss mailing list