snmpd segfaults in IP-MIB during snmpwalk

Automatically imported from Debian bug report #323038 http://bugs.debian.org/323038

Message-Id: <email address hidden>
Date: Sun, 14 Aug 2005 13:14:04 +0200
From: Julien BLACHE <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: snmpd segfaults in IP-MIB during snmpwalk

Package: snmpd
Version: 5.2.1.2-2
Severity: serious
Justification: renders software unusable; possible DoS

Hi,

% snmpwalk [...] 10.0.1.2
[...]
IP-MIB::ip.34.1.11.1.4.127.0.0.1 =3D INTEGER: 2
IP-MIB::ip.34.1.11.2.16.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1 =3D INTEGER: 2
IP-MIB::ip.34.1.11.2.16.32.1.7.168.24.94.0.1.0.0.0.0.0.0.0.16 =3D INTEGER=
: 2
IP-MIB::ip.34.1.11.2.16.254.128.0.0.0.0.0.0.2.0.180.255.254.185.115.222 =3D=
 INTEGER: 2
IP-MIB::ip.34.1.11.2.16.254.128.0.0.0.0.0.0.2.5.93.255.254.162.102.34 =3D=
 INTEGER: 2
IP-MIB::ip.35.1.4.1.4.4.10.10.10.1 =3D Hex-STRING: 00 10 A7 11 F9 3F=20

Timeout: No Response from 10.0.1.2

Happens on all my machines, not architecture-specific.

*** glibc detected *** free(): invalid pointer: 0x0000000000649dd8 ***

Program received signal SIGABRT, Aborted.
0x00002aaaab772dd0 in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00002aaaab772dd0 in raise () from /lib/libc.so.6
#1 0x00002aaaab774280 in abort () from /lib/libc.so.6
#2 0x00002aaaab7a853e in __fsetlocking () from /lib/libc.so.6
#3 0x00002aaaab7ae29b in malloc_usable_size () from /lib/libc.so.6
#4 0x00002aaaab7ae57e in free () from /lib/libc.so.6
#5 0x00002aaaab1e7d16 in snmp_free_var (var=3D0x6764a0) at snmp_api.c:48=
61
#6 0x00002aaaab1e7dc7 in snmp_free_varbind (var=3D0x6764a0) at snmp_api.=
c:4881
#7 0x00002aaaab1e7e31 in snmp_free_pdu (pdu=3D0x65ac90) at snmp_api.c:49=
21
#8 0x00002aaaab1e7ba7 in _sess_async_send (sessp=3D0x62aa60, pdu=3D0x65a=
c90, callback=3D0, cb_data=3D0x0) at snmp_api.c:4815
#9 0x00002aaaab1e7c0b in snmp_sess_async_send (sessp=3D0x62aa60, pdu=3D0=
x65ac90, callback=3D0, cb_data=3D0x0) at snmp_api.c:4833
#10 0x00002aaaab1e70ab in snmp_async_send (session=3D0x65a520, pdu=3D0x65=
ac90, callback=3D0, cb_data=3D0x0) at snmp_api.c:4565
#11 0x00002aaaab1e7046 in snmp_send (session=3D0x65a520, pdu=3D0x65ac90) =
at snmp_api.c:4551
#12 0x00002aaaaae4be4c in netsnmp_wrap_up_request (asp=3D0x677350, status=
=3D0) at snmp_agent.c:1627
#13 0x00002aaaaae4f08d in netsnmp_handle_request (asp=3D0x677350, status=3D=
0) at snmp_agent.c:2996
#14 0x00002aaaaae4c48d in handle_snmp_packet (op=3D1, session=3D0x65a520,=
 reqid=3D20857002, pdu=3D0x65aa70, magic=3D0x0) at snmp_agent.c:1792
#15 0x00002aaaab1e89f2 in _sess_process_packet (sessp=3D0x62aa60, sp=3D0x=
65a520, isp=3D0x65a9a0, transport=3D0x658970, opaque=3D0x657f90, olength=3D=
16,=20
    packetptr=3D0x65dee0 "0@\002\001\001\004\004mrtg=A15\002\004\001>@=AA=
\002\001", length=3D66) at snmp_api.c:5213
#16 0x00002aaaab1e9fef in _sess_read (sessp=3D0x62aa60, fdset=3D0x7fffffc=
df940) at snmp_api.c:5610
#17 0x00002aaaab1ea040 in snmp_sess_read (sessp=3D0x62aa60, fdset=3D0x7ff=
fffcdf940) at snmp_api.c:5629
#18 0x00002aaaab1e8b90 in snmp_read (fdset=3D0x7fffffcdf940) at snmp_api.=
c:5265
#19 0x00000000004050a8 in receive () at snmpd.c:1149
#20 0x0000000000404615 in main (argc=3D7, argv=3D0x7fffffce0ca8) at snmpd=
.c:993

Looks like the IP-MIB ...

Message-ID: <email address hidden>
Date: Sun, 14 Aug 2005 16:22:12 +0200
From: Julien BLACHE <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: [PATCH] snmpd segfault in IP-MIB

--=-=-=

tags 323038 + patch
thanks

Hi,

So, this segfault is obviously caused by a double-free, as the pointer
passed to free() is, indeed, a valid pointer.

snmpd crashes at this point:
.1.3.6.1.2.1.4.35.1.4.1.4.4.10.0.1.1 = Hex-STRING: 00 C1 97 AB AA 2A

So the crash happens after querying the very first object of
.1.3.6.1.2.1.4.35.1.4.*, when the data structure gets freed. As the
pointer is a valid pointer, the problem lies when the structure is
created/populated.

This is handled in
agent/mibgroup/ip-mib/inetNetToMediaTable/inetNetToMediaTable.c
(surprise, surprise, this IP-MIB code is definitely buggy as hell).

   311 int
   312 inetNetToMediaPhysAddress_get(inetNetToMediaTable_rowreq_ctx * rowreq_ctx,

   ...

   327 (*inetNetToMediaPhysAddress_val_ptr_ptr) =
   328 rowreq_ctx->data->arp_physaddress;

   ...

The Hex-STRING looks very much like a MAC address, and it indeed
is. This is where the data structure is populated with the MAC address
string.

It relies on the query context, and chances are this context gets
freed automagically by something else before the data structure gets
freed (I don't remember the magic of snmpd query contexts -- but the
context gets freed before the data structure for sure).

Proposed patch attached; I think it's correct, but please discuss the
problem with upstream. They may have a better way to fix this.

And get them to do a full review of the IP-MIB code, looks like it's
needed.

JB.

--
 Julien BLACHE - Debian & GNU/Linux Developer - <email address hidden>

 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169

--=-=-=
Content-Type: text/x-patch
Content-Disposition: attachment;
  filename=inetNetToMediaTable.c-MAC-strdup.patch
Content-Description: inetNetToMediaTable.c patch

--- net-snmp-5.2.1.2.orig/agent/mibgroup/ip-mib/inetNetToMediaTable/inetNetToMediaTable.c
+++ net-snmp-5.2.1.2/agent/mibgroup/ip-mib/inetNetToMediaTable/inetNetToMediaTable.c
@@ -375,7 +375,7 @@
      * set (* inetNetToMediaPhysAddress_val_ptr_ptr ) and (* inetNetToMediaPhysAddress_val_ptr_len_ptr ) from rowreq_ctx->data
      */
     (*inetNetToMediaPhysAddress_val_ptr_ptr) =
- rowreq_ctx->data->arp_physaddress;
+ strdup(rowreq_ctx->data->arp_physaddress);
     (*inetNetToMediaPhysAddress_val_ptr_len_ptr) =
         rowreq_ctx->data->arp_physaddress_len;

--=-=-=--

Message-ID: <Pine.LNX.4.58.0508141744050.2441@localhost>
Date: Sun, 14 Aug 2005 17:46:11 +0200 (CEST)
From: Jochen Friedrich <email address hidden>
To: Julien BLACHE <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#323038: [PATCH] snmpd segfault in IP-MIB

tags 323038 + upstream
forwarded 323038 http://net-snmp.sf.net
thanks

I forwarded the bug upstream -> SourceForge #1259049

Thanks for the report.
Jochen

I did try on a few different machines and i cannot reproduce this bug, either
with ubuntu or debian pkgs.

Fabio

Message-Id: <email address hidden>
Date: Sat, 10 Sep 2005 11:07:18 -0700
From: Jochen Friedrich <email address hidden>
To: <email address hidden>
Subject: Bug#323038: fixed in net-snmp 5.2.1.2-3

Source: net-snmp
Source-Version: 5.2.1.2-3

We believe that the bug you reported is fixed in the latest version of
net-snmp, which is due to be installed in the Debian FTP archive:

libsnmp-base_5.2.1.2-3_all.deb
  to pool/main/n/net-snmp/libsnmp-base_5.2.1.2-3_all.deb
libsnmp-perl_5.2.1.2-3_alpha.deb
  to pool/main/n/net-snmp/libsnmp-perl_5.2.1.2-3_alpha.deb
libsnmp9-dev_5.2.1.2-3_alpha.deb
  to pool/main/n/net-snmp/libsnmp9-dev_5.2.1.2-3_alpha.deb
libsnmp9_5.2.1.2-3_alpha.deb
  to pool/main/n/net-snmp/libsnmp9_5.2.1.2-3_alpha.deb
net-snmp_5.2.1.2-3.diff.gz
  to pool/main/n/net-snmp/net-snmp_5.2.1.2-3.diff.gz
net-snmp_5.2.1.2-3.dsc
  to pool/main/n/net-snmp/net-snmp_5.2.1.2-3.dsc
snmp_5.2.1.2-3_alpha.deb
  to pool/main/n/net-snmp/snmp_5.2.1.2-3_alpha.deb
snmpd_5.2.1.2-3_alpha.deb
  to pool/main/n/net-snmp/snmpd_5.2.1.2-3_alpha.deb
tkmib_5.2.1.2-3_all.deb
  to pool/main/n/net-snmp/tkmib_5.2.1.2-3_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jochen Friedrich <email address hidden> (supplier of updated net-snmp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 5 Sep 2005 21:19:30 +0200
Source: net-snmp
Binary: libsnmp9 tkmib snmp libsnmp-perl libsnmp-base libsnmp9-dev snmpd
Architecture: source all alpha
Version: 5.2.1.2-3
Distribution: unstable
Urgency: low
Maintainer: Jochen Friedrich <email address hidden>
Changed-By: Jochen Friedrich <email address hidden>
Description:
 libsnmp-base - NET SNMP (Simple Network Management Protocol) MIBs and Docs
 libsnmp-perl - NET SNMP (Simple Network Management Protocol) Perl5 Support
 libsnmp9 - NET SNMP (Simple Network Management Protocol) Library
 libsnmp9-dev - NET SNMP (Simple Network Management Protocol) Development Files
 snmp - NET SNMP (Simple Network Management Protocol) Apps
 snmpd - NET SNMP (Simple Network Management Protocol) Agents
 tkmib - NET SNMP (Simple Network Management Protocol) MIB Browser
Closes: 321713 322500 323038
Changes:
 net-snmp (5.2.1.2-3) unstable; urgency=low
 .
   * Apply official library-version-update-5.2.1.2.patch to clean up the
     version mess (Closes: #322500)
   * Replace error_snmp6.patch by upstream systemstats-snmp6.patch
   * Added upstream inetNetToMedia-01.patch (Closes: #323038)
   * Added ipaddress_linux.c-in_len-out_len-type.patch from
     Julien BLACHE <email address hidden> (Closes: #321713)
Files:
 6f8b63e28804ab1ee7c6fe250ed46a87 1081 net optional net-snmp_5.2.1.2-3.dsc
 a29ac8ce04d96c2a364e36c2ebb99fdc 69892 net optional net-snmp_5.2.1.2-3.di...