snmpd segfaults in IP-MIB during snmpwalk
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
net-snmp (Debian) |
Fix Released
|
Unknown
|
|||
net-snmp (Ubuntu) |
Invalid
|
High
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #323038 http://
In Debian Bug tracker #323038, Julien BLACHE (jblache) wrote : [PATCH] snmpd segfault in IP-MIB | #1 |
In Debian Bug tracker #323038, Jochen Friedrich (jochen) wrote : Re: Bug#323038: [PATCH] snmpd segfault in IP-MIB | #2 |
tags 323038 + upstream
forwarded 323038 http://
thanks
I forwarded the bug upstream -> SourceForge #1259049
Thanks for the report.
Jochen
Debian Bug Importer (debzilla) wrote : | #3 |
Automatically imported from Debian bug report #323038 http://
Debian Bug Importer (debzilla) wrote : | #4 |
Message-Id: <email address hidden>
Date: Sun, 14 Aug 2005 13:14:04 +0200
From: Julien BLACHE <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: snmpd segfaults in IP-MIB during snmpwalk
Package: snmpd
Version: 5.2.1.2-2
Severity: serious
Justification: renders software unusable; possible DoS
Hi,
% snmpwalk [...] 10.0.1.2
[...]
IP-MIB:
IP-MIB:
IP-MIB:
: 2
IP-MIB:
INTEGER: 2
IP-MIB:
INTEGER: 2
IP-MIB:
Timeout: No Response from 10.0.1.2
Happens on all my machines, not architecture-
*** glibc detected *** free(): invalid pointer: 0x0000000000649dd8 ***
Program received signal SIGABRT, Aborted.
0x00002aaaab772dd0 in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00002aaaab772dd0 in raise () from /lib/libc.so.6
#1 0x00002aaaab774280 in abort () from /lib/libc.so.6
#2 0x00002aaaab7a853e in __fsetlocking () from /lib/libc.so.6
#3 0x00002aaaab7ae29b in malloc_usable_size () from /lib/libc.so.6
#4 0x00002aaaab7ae57e in free () from /lib/libc.so.6
#5 0x00002aaaab1e7d16 in snmp_free_var (var=3D0x6764a0) at snmp_api.c:48=
61
#6 0x00002aaaab1e7dc7 in snmp_free_varbind (var=3D0x6764a0) at snmp_api.=
c:4881
#7 0x00002aaaab1e7e31 in snmp_free_pdu (pdu=3D0x65ac90) at snmp_api.c:49=
21
#8 0x00002aaaab1e7ba7 in _sess_async_send (sessp=3D0x62aa60, pdu=3D0x65a=
c90, callback=3D0, cb_data=3D0x0) at snmp_api.c:4815
#9 0x00002aaaab1e7c0b in snmp_sess_
x65ac90, callback=3D0, cb_data=3D0x0) at snmp_api.c:4833
#10 0x00002aaaab1e70ab in snmp_async_send (session=
ac90, callback=3D0, cb_data=3D0x0) at snmp_api.c:4565
#11 0x00002aaaab1e7046 in snmp_send (session=
at snmp_api.c:4551
#12 0x00002aaaaae4be4c in netsnmp_
=3D0) at snmp_agent.c:1627
#13 0x00002aaaaae4f08d in netsnmp_
0) at snmp_agent.c:2996
#14 0x00002aaaaae4c48d in handle_snmp_packet (op=3D1, session=
reqid=3D20857002, pdu=3D0x65aa70, magic=3D0x0) at snmp_agent.c:1792
#15 0x00002aaaab1e89f2 in _sess_process_
65a520, isp=3D0x65a9a0, transport=
16,=20
packetptr=
\002\001", length=3D66) at snmp_api.c:5213
#16 0x00002aaaab1e9fef in _sess_read (sessp=3D0x62aa60, fdset=3D0x7fffffc=
df940) at snmp_api.c:5610
#17 0x00002aaaab1ea040 in snmp_sess_read (sessp=3D0x62aa60, fdset=3D0x7ff=
fffcdf940) at snmp_api.c:5629
#18 0x00002aaaab1e8b90 in snmp_read (fdset=
c:5265
#19 0x00000000004050a8 in receive () at snmpd.c:1149
#20 0x0000000000404615 in main (argc=3D7, argv=3D0x7fffff
.c:993
Looks like the IP-MIB ...
Debian Bug Importer (debzilla) wrote : | #5 |
Message-ID: <email address hidden>
Date: Sun, 14 Aug 2005 16:22:12 +0200
From: Julien BLACHE <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: [PATCH] snmpd segfault in IP-MIB
--=-=-=
tags 323038 + patch
thanks
Hi,
So, this segfault is obviously caused by a double-free, as the pointer
passed to free() is, indeed, a valid pointer.
snmpd crashes at this point:
.1.3.6.
So the crash happens after querying the very first object of
.1.3.6.
pointer is a valid pointer, the problem lies when the structure is
created/populated.
This is handled in
agent/mibgroup/
(surprise, surprise, this IP-MIB code is definitely buggy as hell).
311 int
312 inetNetToMediaP
...
327 (*inetNetToMedi
328 rowreq_
...
The Hex-STRING looks very much like a MAC address, and it indeed
is. This is where the data structure is populated with the MAC address
string.
It relies on the query context, and chances are this context gets
freed automagically by something else before the data structure gets
freed (I don't remember the magic of snmpd query contexts -- but the
context gets freed before the data structure for sure).
Proposed patch attached; I think it's correct, but please discuss the
problem with upstream. They may have a better way to fix this.
And get them to do a full review of the IP-MIB code, looks like it's
needed.
JB.
--
Julien BLACHE - Debian & GNU/Linux Developer - <email address hidden>
Public key available on <http://
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169
--=-=-=
Content-Type: text/x-patch
Content-
filename=
Content-
--- net-snmp-
+++ net-snmp-
@@ -375,7 +375,7 @@
* set (* inetNetToMediaP
*/
(*
- rowreq_
+ strdup(
(*
--=-=-=--
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <Pine.LNX.
Date: Sun, 14 Aug 2005 17:46:11 +0200 (CEST)
From: Jochen Friedrich <email address hidden>
To: Julien BLACHE <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#323038: [PATCH] snmpd segfault in IP-MIB
tags 323038 + upstream
forwarded 323038 http://
thanks
I forwarded the bug upstream -> SourceForge #1259049
Thanks for the report.
Jochen
Fabio Massimo Di Nitto (fabbione) wrote : | #7 |
I did try on a few different machines and i cannot reproduce this bug, either
with ubuntu or debian pkgs.
Fabio
In Debian Bug tracker #323038, Jochen Friedrich (jochen) wrote : Bug#323038: fixed in net-snmp 5.2.1.2-3 | #8 |
Source: net-snmp
Source-Version: 5.2.1.2-3
We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive:
libsnmp-
to pool/main/
libsnmp-
to pool/main/
libsnmp9-
to pool/main/
libsnmp9_
to pool/main/
net-snmp_
to pool/main/
net-snmp_
to pool/main/
snmp_5.
to pool/main/
snmpd_5.
to pool/main/
tkmib_5.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jochen Friedrich <email address hidden> (supplier of updated net-snmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 5 Sep 2005 21:19:30 +0200
Source: net-snmp
Binary: libsnmp9 tkmib snmp libsnmp-perl libsnmp-base libsnmp9-dev snmpd
Architecture: source all alpha
Version: 5.2.1.2-3
Distribution: unstable
Urgency: low
Maintainer: Jochen Friedrich <email address hidden>
Changed-By: Jochen Friedrich <email address hidden>
Description:
libsnmp-base - NET SNMP (Simple Network Management Protocol) MIBs and Docs
libsnmp-perl - NET SNMP (Simple Network Management Protocol) Perl5 Support
libsnmp9 - NET SNMP (Simple Network Management Protocol) Library
libsnmp9-dev - NET SNMP (Simple Network Management Protocol) Development Files
snmp - NET SNMP (Simple Network Management Protocol) Apps
snmpd - NET SNMP (Simple Network Management Protocol) Agents
tkmib - NET SNMP (Simple Network Management Protocol) MIB Browser
Closes: 321713 322500 323038
Changes:
net-snmp (5.2.1.2-3) unstable; urgency=low
.
* Apply official library-
version mess (Closes: #322500)
* Replace error_snmp6.patch by upstream systemstats-
* Added upstream inetNetToMedia-
* Added ipaddress_
Julien BLACHE <email address hidden> (Closes: #321713)
Files:
6f8b63e28804ab
a29ac8ce04d96c
56116c5ed0ad72
6d86c1d6e785d1
53062a257d3384
Debian Bug Importer (debzilla) wrote : | #9 |
Message-Id: <email address hidden>
Date: Sat, 10 Sep 2005 11:07:18 -0700
From: Jochen Friedrich <email address hidden>
To: <email address hidden>
Subject: Bug#323038: fixed in net-snmp 5.2.1.2-3
Source: net-snmp
Source-Version: 5.2.1.2-3
We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive:
libsnmp-
to pool/main/
libsnmp-
to pool/main/
libsnmp9-
to pool/main/
libsnmp9_
to pool/main/
net-snmp_
to pool/main/
net-snmp_
to pool/main/
snmp_5.
to pool/main/
snmpd_5.
to pool/main/
tkmib_5.
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jochen Friedrich <email address hidden> (supplier of updated net-snmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 5 Sep 2005 21:19:30 +0200
Source: net-snmp
Binary: libsnmp9 tkmib snmp libsnmp-perl libsnmp-base libsnmp9-dev snmpd
Architecture: source all alpha
Version: 5.2.1.2-3
Distribution: unstable
Urgency: low
Maintainer: Jochen Friedrich <email address hidden>
Changed-By: Jochen Friedrich <email address hidden>
Description:
libsnmp-base - NET SNMP (Simple Network Management Protocol) MIBs and Docs
libsnmp-perl - NET SNMP (Simple Network Management Protocol) Perl5 Support
libsnmp9 - NET SNMP (Simple Network Management Protocol) Library
libsnmp9-dev - NET SNMP (Simple Network Management Protocol) Development Files
snmp - NET SNMP (Simple Network Management Protocol) Apps
snmpd - NET SNMP (Simple Network Management Protocol) Agents
tkmib - NET SNMP (Simple Network Management Protocol) MIB Browser
Closes: 321713 322500 323038
Changes:
net-snmp (5.2.1.2-3) unstable; urgency=low
.
* Apply official library-
version mess (Closes: #322500)
* Replace error_snmp6.patch by upstream systemstats-
* Added upstream inetNetToMedia-
* Added ipaddress_
Julien BLACHE <email address hidden> (Closes: #321713)
Files:
6f8b63e28804ab
a29ac8ce04d96c
tags 323038 + patch
thanks
Hi,
So, this segfault is obviously caused by a double-free, as the pointer
passed to free() is, indeed, a valid pointer.
snmpd crashes at this point: 1.2.1.4. 35.1.4. 1.4.4.10. 0.1.1 = Hex-STRING: 00 C1 97 AB AA 2A
.1.3.6.
So the crash happens after querying the very first object of 2.1.4.35. 1.4.*, when the data structure gets freed. As the
1.3.6.1.
pointer is a valid pointer, the problem lies when the structure is
created/populated.
This is handled in ip-mib/ inetNetToMediaT able/inetNetToM ediaTable. c
agent/mibgroup/
(surprise, surprise, this IP-MIB code is definitely buggy as hell).
311 int hysAddress_ get(inetNetToMe diaTable_ rowreq_ ctx * rowreq_ctx,
312 inetNetToMediaP
...
327 (*inetNetToMedi aPhysAddress_ val_ptr_ ptr) = ctx->data- >arp_physaddres s;
328 rowreq_
...
The Hex-STRING looks very much like a MAC address, and it indeed
is. This is where the data structure is populated with the MAC address
string.
It relies on the query context, and chances are this context gets
freed automagically by something else before the data structure gets
freed (I don't remember the magic of snmpd query contexts -- but the
context gets freed before the data structure for sure).
Proposed patch attached; I think it's correct, but please discuss the
problem with upstream. They may have a better way to fix this.
And get them to do a full review of the IP-MIB code, looks like it's
needed.
JB.
--
Julien BLACHE - Debian & GNU/Linux Developer - <email address hidden>
Public key available on <http:// www.jblache. org> - KeyID: F5D6 5169
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169