Bug 33622 – UMC crashes with Traceback: IndexError: list index out of range

Bug 33622 - UMC crashes with Traceback: IndexError: list index out of range


Summary:	UMC crashes with Traceback: IndexError: list index out of range

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.2-0-errata
Assigned To:	Florian Best
QA Contact:	Dirk Wiesenthal

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-12-02 08:44 CET by Roman Dietiker
Modified:	2021-06-23 07:29 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
fix header parsing of UMCP message.py (1.50 KB, patch) 2013-12-02 10:07 CET, Florian Best	Details \| Diff
customer logfile (49.26 MB, application/x-tar) 2013-12-02 11:37 CET, Janis Meybohm	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Roman Dietiker 2013-12-02 08:44:04 CET

In one of our UCS installations the umc crashes two or three times every week.

28.11.13 14:18:11.834  MAIN        ( INFO    ) : Passing new request to running module computerroom
28.11.13 14:18:11.834  PROTOCOL    ( INFO    ) : Sending UMCP COMMAND REQUEST 138564469175637-964
28.11.13 14:18:11.834  PARSER      ( INFO    ) : UMCP RESPONSE 138564469126989-960 parsed successfully
28.11.13 14:18:11.834  PROTOCOL    ( INFO    ) : Received UMCP RESPONSE 138564469126989-960
28.11.13 14:18:11.835  PARSER      ( PROCESS ) : Attribute status just available for MIME type application/json
28.11.13 14:18:11.835  PARSER      ( PROCESS ) : Attribute status just available for MIME type application/json
28.11.13 14:18:11.866  PARSER      ( INFO    ) : The message body is not complete: 65479 of 145622 bytes
28.11.13 14:18:11.876  PARSER      ( INFO    ) : The message body is not complete: 131015 of 145622 bytes
28.11.13 14:18:11.887  PARSER      ( INFO    ) : UMCP RESPONSE 138564469135276-961 parsed successfully
28.11.13 14:18:11.887  PROTOCOL    ( INFO    ) : Received UMCP RESPONSE 138564469135276-961
28.11.13 14:18:11.887  PARSER      ( PROCESS ) : Attribute status just available for MIME type application/json
28.11.13 14:18:11.887  PARSER      ( PROCESS ) : Attribute status just available for MIME type application/json
28.11.13 14:18:11.918  PARSER      ( INFO    ) : The message body is not complete: 65479 of 353405 bytes
28.11.13 14:18:11.928  PARSER      ( INFO    ) : The message body is not complete: 131015 of 353405 bytes
28.11.13 14:18:11.939  PARSER      ( INFO    ) : The message body is not complete: 196551 of 353405 bytes
28.11.13 14:18:11.949  PARSER      ( INFO    ) : The message body is not complete: 262087 of 353405 bytes
28.11.13 14:18:11.960  PARSER      ( INFO    ) : The message body is not complete: 287943 of 353405 bytes
28.11.13 14:18:11.981  PARSER      ( INFO    ) : UMCP RESPONSE 138564469146776-962 parsed successfully
28.11.13 14:18:11.981  PROTOCOL    ( INFO    ) : Received UMCP RESPONSE 138564469146776-962
28.11.13 14:18:11.981  PARSER      ( PROCESS ) : Attribute status just available for MIME type application/json
28.11.13 14:18:11.981  PARSER      ( PROCESS ) : Attribute status just available for MIME type application/json
28.11.13 14:18:11.982  MAIN        ( ERROR   ) : Traceback (most recent call last):
  File "/usr/sbin/univention-management-console-server", line 209, in <module>
    umc_daemon.do_action()
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 186, in do_action
    func(self)
  File "/usr/lib/pymodules/python2.6/daemon/runner.py", line 131, in _start
    self.app.run()
  File "/usr/sbin/univention-management-console-server", line 192, in run
    notifier.loop()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 284, in loop
    step()
  File "/usr/lib/pymodules/python2.6/notifier/nf_generic.py", line 271, in step
    not __sockets[ cond ][ fd ]( sock_obj ):
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/client.py", line 316, in _recv
    recv = response.parse( recv )
  File "/usr/lib/pymodules/python2.6/univention/management/console/protocol/message.py", line 227, in parse
    current_length = len( lines[ 1 ] )
IndexError: list index out of range


The debug level is allready on 5. Are there Any ways to get more information to fit it in this bug post?


We are on errata level 183, and dont't want to make updates unless theres no other way.


It's also not possible to trigger this traceback, as it happens randomly.

Comment 1 Florian Best

2013-12-02 10:07:42 CET

Created attachment 5685 [details]
fix header parsing of UMCP message.py

Hello, thank you for your bug report!

I could trigger this error as well. The cause for this (probably) seems to be an error when displaying screenshots of students in the computerroom module. To further investigate this some more information would be useful: the logfiles management-console-module-computerroom.log, management-console-web-server.log and some more context from management-console-server.log (with UCR umc/server/debug/level=4 and umc/module/debug/level=4).

________
technical information:
It seems that the UMCP header is very long and therefore not send in one chunk (or maybe the body doesn't exists at all?).

I can reproduce the problem by simply doing:
echo -en 'REQUEST/1/2/application/json: AUTH' | sslify | nc 127.0.0.1 6670

However, from the log I can see that the computerroom module is used with a command which does not use JSON. So it can be caused either by the UMCP-Commands "computerroom/vnc", "computerroom/screenshot" or by a malformed request.

Comment 2 Roman Dietiker 2013-12-02 11:10:32 CET

I uploaded a tar file with the requested log files to upload.univention.de: 
upload_yvm5IH.tar

The Problem occured on the 28.11.13 around 14:18.

Comment 3 Janis Meybohm

2013-12-02 11:37:13 CET

Created attachment 5686 [details]
customer logfile

upload_yvm5IH.tar

Comment 4 Stefan Gohmann

2014-01-30 07:14:45 CET

The patch seems to help in the customer environment. Please prepare it for the next errata updates.

Comment 5 Stefan Gohmann

2014-01-30 07:16:28 CET

(In reply to Roman Dietiker from comment #2)
> I uploaded a tar file with the requested log files to upload.univention.de: 
> upload_yvm5IH.tar
> 
> The Problem occured on the 28.11.13 around 14:18.

Which UCS version do you use? 3.1 or 3.2?

Comment 6 Florian Best

2014-01-30 11:19:54 CET

The patch has been applied (slightly adapted to also allow empty bodies).

2014-01-30-univention-management-console.yaml

QA: the following still works ;)

send() {
    printf "$1" | socat -t1 stdin openssl:localhost:6670,verify=0
}

send 'REQUEST/1/2/application/json: SET\n{}'
send 'REQUEST/1/2/application/json: SET\n{}REQUEST/2/2/application/json: SET\n{}'
send 'REQUEST/1/0/foo/bar: SET\n'
send "$(python -c 'print "REQUEST/1/65536/foo/bar: SET\n" + "a"*65536')"

doesn't break anymore:
send 'REQUEST/1/2/application/json: AUTH'

Comment 7 Florian Best

2014-02-04 12:58:19 CET

Another fix, which allows the UMCP header also to be send in chunks has been commitet.

YAML adapted: univention-management-console 6.0.24-3.776.201402041249

Comment 8 Dirk Wiesenthal

2014-02-04 18:00:06 CET

VERIFIED, this traceback cannot happen anymore.

The error occurred in computerroom/screenshot. The Response string did not contain a '\n'. I was unable to reproduce this in "real life", though.

Message._formattedMessage:
  return '%s/%s/%d/%s: %s %s\n%s' % ( type, _id, len( data ), mimetype, command, args, data )

There is no way how a \n could not be in there, except two cases:
(1) Very long header (> 65536 bytes) up to the "\n" -> more or less impossible, as the response in computerroom/screenshot is well defined
(2) The socket sends multiple responses at once, the client handles them but the last one is only read up to the " %s %s" and cut just before "\n"

I could not observe this behaviour: The socket sends one response at a time.

Anyway, the code is better now and should handle (2) (whether this happens or not). If this error occurs again after this patch, we have to rework.

Maybe the network even forgot some bytes? In this case we would have to add a checksum?

Comment 9 Florian Best

2014-02-05 09:28:30 CET

(In reply to Dirk Wiesenthal from comment #8)
> Maybe the network even forgot some bytes? In this case we would have to add
> a checksum?
Afaik this should not be possible because TCP already has a checksum.

Comment 10 Moritz Muehlenhoff

2014-02-06 13:36:41 CET

http://errata.univention.de/ucs/3.2/49.html