I can reliably reproduce this on my 20.04 (vmWare 6.7 amd64 guest) systems running the following:
sudo snmpbulkget -v3 -Cn0 -Cr50 -l authPriv -u testuser -a SHA -A <pass> -x DES -X <pass> 127.0.0.1 iso.3.6.1.2.1.4.22.1.4
A gdb backtrace looks like the following:
double free or corruption (fasttop)
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 return ret;
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7979859 in __GI_abort () at abort.c:79
#2 0x00007ffff79e43ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7b0e285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff79ec47c in malloc_printerr (str=str@entry=0x7ffff7b10628 "double free or corruption (fasttop)") at malloc.c:5347
#4 0x00007ffff79edde5 in _int_free (av=0x7ffff7b3fb80 <main_arena>, p=0x55555586ea10, have_lock=0) at malloc.c:4266
#5 0x00007ffff7bc2a14 in usm_free_usmStateReference () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#6 0x00007ffff7bc7c8d in usm_generate_out_msg () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#7 0x00007ffff7bc8609 in usm_secmod_generate_out_msg () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#8 0x00007ffff7b7e05a in snmpv3_packet_build () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#9 0x00007ffff7b80087 in snmp_build () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#10 0x00007ffff7b805ab in netsnmp_build_packet () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#11 0x00007ffff7b807cf in _build_initial_pdu_packet () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#12 0x00007ffff7f85a18 in netsnmp_wrap_up_request () from /lib/x86_64-linux-gnu/libnetsnmpagent.so.35
#13 0x00007ffff7f88beb in netsnmp_handle_request () from /lib/x86_64-linux-gnu/libnetsnmpagent.so.35
#14 0x00007ffff7f88f1b in handle_snmp_packet () from /lib/x86_64-linux-gnu/libnetsnmpagent.so.35
#15 0x00007ffff7b8882f in ?? () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#16 0x00007ffff7b898c6 in _sess_read () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#17 0x00007ffff7b8a3fd in snmp_sess_read2 () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#18 0x00007ffff7b8a44b in snmp_read2 () from /lib/x86_64-linux-gnu/libnetsnmp.so.35
#19 0x0000555555559ca2 in ?? ()
#20 0x000055555555910d in main ()
I haven't been able to reproduce running the command remotely, but it does seem to reliably crash snmpd when running locally. However, we use SolarWinds Orion NPM to monitor our internal infrastructure, and it runs similar bulkget commands that will reliably crash snmpd remotely on our 20.04 test servers.
Please let me know if there's any other information I can provide.
I can reliably reproduce this on my 20.04 (vmWare 6.7 amd64 guest) systems running the following:
sudo snmpbulkget -v3 -Cn0 -Cr50 -l authPriv -u testuser -a SHA -A <pass> -x DES -X <pass> 127.0.0.1 iso.3.6. 1.2.1.4. 22.1.4
A gdb backtrace looks like the following:
double free or corruption (fasttop)
Program received signal SIGABRT, Aborted. unix/sysv/ linux/raise. c:50 unix/sysv/ linux/raise. c:50 action@ entry=do_ abort, fmt=fmt@ entry=0x7ffff7b 0e285 "%s\n") at ../sysdeps/ posix/libc_ fatal.c: 155 entry=0x7ffff7b 10628 "double free or corruption (fasttop)") at malloc.c:5347 usmStateReferen ce () from /lib/x86_ 64-linux- gnu/libnetsnmp. so.35 out_msg () from /lib/x86_ 64-linux- gnu/libnetsnmp. so.35 generate_ out_msg () from /lib/x86_ 64-linux- gnu/libnetsnmp. so.35 64-linux- gnu/libnetsnmp. so.35 64-linux- gnu/libnetsnmp. so.35 build_packet () from /lib/x86_ 64-linux- gnu/libnetsnmp. so.35 initial_ pdu_packet () from /lib/x86_ 64-linux- gnu/libnetsnmp. so.35 wrap_up_ request () from /lib/x86_ 64-linux- gnu/libnetsnmpa gent.so. 35 handle_ request () from /lib/x86_ 64-linux- gnu/libnetsnmpa gent.so. 35 64-linux- gnu/libnetsnmpa gent.so. 35 64-linux- gnu/libnetsnmp. so.35 64-linux- gnu/libnetsnmp. so.35 64-linux- gnu/libnetsnmp. so.35 64-linux- gnu/libnetsnmp. so.35
__GI_raise (sig=sig@entry=6) at ../sysdeps/
50 return ret;
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/
#1 0x00007ffff7979859 in __GI_abort () at abort.c:79
#2 0x00007ffff79e43ee in __libc_message (action=
#3 0x00007ffff79ec47c in malloc_printerr (str=str@
#4 0x00007ffff79edde5 in _int_free (av=0x7ffff7b3fb80 <main_arena>, p=0x55555586ea10, have_lock=0) at malloc.c:4266
#5 0x00007ffff7bc2a14 in usm_free_
#6 0x00007ffff7bc7c8d in usm_generate_
#7 0x00007ffff7bc8609 in usm_secmod_
#8 0x00007ffff7b7e05a in snmpv3_packet_build () from /lib/x86_
#9 0x00007ffff7b80087 in snmp_build () from /lib/x86_
#10 0x00007ffff7b805ab in netsnmp_
#11 0x00007ffff7b807cf in _build_
#12 0x00007ffff7f85a18 in netsnmp_
#13 0x00007ffff7f88beb in netsnmp_
#14 0x00007ffff7f88f1b in handle_snmp_packet () from /lib/x86_
#15 0x00007ffff7b8882f in ?? () from /lib/x86_
#16 0x00007ffff7b898c6 in _sess_read () from /lib/x86_
#17 0x00007ffff7b8a3fd in snmp_sess_read2 () from /lib/x86_
#18 0x00007ffff7b8a44b in snmp_read2 () from /lib/x86_
#19 0x0000555555559ca2 in ?? ()
#20 0x000055555555910d in main ()
I haven't been able to reproduce running the command remotely, but it does seem to reliably crash snmpd when running locally. However, we use SolarWinds Orion NPM to monitor our internal infrastructure, and it runs similar bulkget commands that will reliably crash snmpd remotely on our 20.04 test servers.
Please let me know if there's any other information I can provide.