Comment 4 for bug 19930

Message-Id: <email address hidden>
Date: Sun, 14 Aug 2005 13:14:04 +0200
From: Julien BLACHE <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: snmpd segfaults in IP-MIB during snmpwalk

Package: snmpd
Version: 5.2.1.2-2
Severity: serious
Justification: renders software unusable; possible DoS

Hi,

% snmpwalk [...] 10.0.1.2
[...]
IP-MIB::ip.34.1.11.1.4.127.0.0.1 =3D INTEGER: 2
IP-MIB::ip.34.1.11.2.16.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1 =3D INTEGER: 2
IP-MIB::ip.34.1.11.2.16.32.1.7.168.24.94.0.1.0.0.0.0.0.0.0.16 =3D INTEGER=
: 2
IP-MIB::ip.34.1.11.2.16.254.128.0.0.0.0.0.0.2.0.180.255.254.185.115.222 =3D=
 INTEGER: 2
IP-MIB::ip.34.1.11.2.16.254.128.0.0.0.0.0.0.2.5.93.255.254.162.102.34 =3D=
 INTEGER: 2
IP-MIB::ip.35.1.4.1.4.4.10.10.10.1 =3D Hex-STRING: 00 10 A7 11 F9 3F=20

Timeout: No Response from 10.0.1.2

Happens on all my machines, not architecture-specific.

*** glibc detected *** free(): invalid pointer: 0x0000000000649dd8 ***

Program received signal SIGABRT, Aborted.
0x00002aaaab772dd0 in raise () from /lib/libc.so.6
(gdb) bt
#0 0x00002aaaab772dd0 in raise () from /lib/libc.so.6
#1 0x00002aaaab774280 in abort () from /lib/libc.so.6
#2 0x00002aaaab7a853e in __fsetlocking () from /lib/libc.so.6
#3 0x00002aaaab7ae29b in malloc_usable_size () from /lib/libc.so.6
#4 0x00002aaaab7ae57e in free () from /lib/libc.so.6
#5 0x00002aaaab1e7d16 in snmp_free_var (var=3D0x6764a0) at snmp_api.c:48=
61
#6 0x00002aaaab1e7dc7 in snmp_free_varbind (var=3D0x6764a0) at snmp_api.=
c:4881
#7 0x00002aaaab1e7e31 in snmp_free_pdu (pdu=3D0x65ac90) at snmp_api.c:49=
21
#8 0x00002aaaab1e7ba7 in _sess_async_send (sessp=3D0x62aa60, pdu=3D0x65a=
c90, callback=3D0, cb_data=3D0x0) at snmp_api.c:4815
#9 0x00002aaaab1e7c0b in snmp_sess_async_send (sessp=3D0x62aa60, pdu=3D0=
x65ac90, callback=3D0, cb_data=3D0x0) at snmp_api.c:4833
#10 0x00002aaaab1e70ab in snmp_async_send (session=3D0x65a520, pdu=3D0x65=
ac90, callback=3D0, cb_data=3D0x0) at snmp_api.c:4565
#11 0x00002aaaab1e7046 in snmp_send (session=3D0x65a520, pdu=3D0x65ac90) =
at snmp_api.c:4551
#12 0x00002aaaaae4be4c in netsnmp_wrap_up_request (asp=3D0x677350, status=
=3D0) at snmp_agent.c:1627
#13 0x00002aaaaae4f08d in netsnmp_handle_request (asp=3D0x677350, status=3D=
0) at snmp_agent.c:2996
#14 0x00002aaaaae4c48d in handle_snmp_packet (op=3D1, session=3D0x65a520,=
 reqid=3D20857002, pdu=3D0x65aa70, magic=3D0x0) at snmp_agent.c:1792
#15 0x00002aaaab1e89f2 in _sess_process_packet (sessp=3D0x62aa60, sp=3D0x=
65a520, isp=3D0x65a9a0, transport=3D0x658970, opaque=3D0x657f90, olength=3D=
16,=20
    packetptr=3D0x65dee0 "0@\002\001\001\004\004mrtg=A15\002\004\001>@=AA=
\002\001", length=3D66) at snmp_api.c:5213
#16 0x00002aaaab1e9fef in _sess_read (sessp=3D0x62aa60, fdset=3D0x7fffffc=
df940) at snmp_api.c:5610
#17 0x00002aaaab1ea040 in snmp_sess_read (sessp=3D0x62aa60, fdset=3D0x7ff=
fffcdf940) at snmp_api.c:5629
#18 0x00002aaaab1e8b90 in snmp_read (fdset=3D0x7fffffcdf940) at snmp_api.=
c:5265
#19 0x00000000004050a8 in receive () at snmpd.c:1149
#20 0x0000000000404615 in main (argc=3D7, argv=3D0x7fffffce0ca8) at snmpd=
.c:993

Looks like the IP-MIB code is at fault here, again. You may need to have =
IPv6
enabled on your system to reproduce the segfault. This one is so deeply b=
uried
into snmpd that I'm not going to debug it. Spent my sunday morning fixing=
 the
64bit-specific segfault (321713), that'll be enough for today.

Please forward to upstream ASAP.

JB.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12
Locale: LANG=3DC, LC_CTYPE=3Dfr_FR@euro (charmap=3DISO-8859-15)

Versions of packages snmpd depends on:
ii libc6 2.3.5-3 GNU C Library: Shared librar=
ies an
ii libsensors3 1:2.9.1-5 library to read temperature/=
voltag
ii libsnmp5 5.2.1.2-2 NET SNMP (Simple Network Man=
agemen
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers=
 libra

snmpd recommends no packages.

-- no debconf information