So, this segfault is obviously caused by a double-free, as the pointer
passed to free() is, indeed, a valid pointer.
snmpd crashes at this point:
.1.3.6.1.2.1.4.35.1.4.1.4.4.10.0.1.1 = Hex-STRING: 00 C1 97 AB AA 2A
So the crash happens after querying the very first object of
.1.3.6.1.2.1.4.35.1.4.*, when the data structure gets freed. As the
pointer is a valid pointer, the problem lies when the structure is
created/populated.
This is handled in
agent/mibgroup/ip-mib/inetNetToMediaTable/inetNetToMediaTable.c
(surprise, surprise, this IP-MIB code is definitely buggy as hell).
311 int
312 inetNetToMediaPhysAddress_get(inetNetToMediaTable_rowreq_ctx * rowreq_ctx,
The Hex-STRING looks very much like a MAC address, and it indeed
is. This is where the data structure is populated with the MAC address
string.
It relies on the query context, and chances are this context gets
freed automagically by something else before the data structure gets
freed (I don't remember the magic of snmpd query contexts -- but the
context gets freed before the data structure for sure).
Proposed patch attached; I think it's correct, but please discuss the
problem with upstream. They may have a better way to fix this.
And get them to do a full review of the IP-MIB code, looks like it's
needed.
Message-ID: <email address hidden>
Date: Sun, 14 Aug 2005 16:22:12 +0200
From: Julien BLACHE <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: [PATCH] snmpd segfault in IP-MIB
--=-=-=
tags 323038 + patch
thanks
Hi,
So, this segfault is obviously caused by a double-free, as the pointer
passed to free() is, indeed, a valid pointer.
snmpd crashes at this point: 1.2.1.4. 35.1.4. 1.4.4.10. 0.1.1 = Hex-STRING: 00 C1 97 AB AA 2A
.1.3.6.
So the crash happens after querying the very first object of 1.2.1.4. 35.1.4. *, when the data structure gets freed. As the
.1.3.6.
pointer is a valid pointer, the problem lies when the structure is
created/populated.
This is handled in ip-mib/ inetNetToMediaT able/inetNetToM ediaTable. c
agent/mibgroup/
(surprise, surprise, this IP-MIB code is definitely buggy as hell).
311 int hysAddress_ get(inetNetToMe diaTable_ rowreq_ ctx * rowreq_ctx,
312 inetNetToMediaP
...
327 (*inetNetToMedi aPhysAddress_ val_ptr_ ptr) = ctx->data- >arp_physaddres s;
328 rowreq_
...
The Hex-STRING looks very much like a MAC address, and it indeed
is. This is where the data structure is populated with the MAC address
string.
It relies on the query context, and chances are this context gets
freed automagically by something else before the data structure gets
freed (I don't remember the magic of snmpd query contexts -- but the
context gets freed before the data structure for sure).
Proposed patch attached; I think it's correct, but please discuss the
problem with upstream. They may have a better way to fix this.
And get them to do a full review of the IP-MIB code, looks like it's
needed.
JB.
--
Julien BLACHE - Debian & GNU/Linux Developer - <email address hidden>
Public key available on <http:// www.jblache. org> - KeyID: F5D6 5169
GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169
--=-=-= Disposition: attachment; inetNetToMediaT able.c- MAC-strdup. patch Description: inetNetToMediaT able.c patch
Content-Type: text/x-patch
Content-
filename=
Content-
--- net-snmp- 5.2.1.2. orig/agent/ mibgroup/ ip-mib/ inetNetToMediaT able/inetNetToM ediaTable. c 5.2.1.2/ agent/mibgroup/ ip-mib/ inetNetToMediaT able/inetNetToM ediaTable. c hysAddress_ val_ptr_ ptr ) and (* inetNetToMediaP hysAddress_ val_ptr_ len_ptr ) from rowreq_ctx->data inetNetToMediaP hysAddress_ val_ptr_ ptr) = ctx->data- >arp_physaddres s; rowreq_ ctx->data- >arp_physaddres s); inetNetToMediaP hysAddress_ val_ptr_ len_ptr) =
rowreq_ ctx->data- >arp_physaddres s_len;
+++ net-snmp-
@@ -375,7 +375,7 @@
* set (* inetNetToMediaP
*/
(*
- rowreq_
+ strdup(
(*
--=-=-=--