Ubuntu
net-snmp package

  1. Bug #2012926
  2. Comment #6

Comment 6 for bug 2012926

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

There are 3 commits that handle a double-free in agentx:

a)
commit f3e80746fde826cf4665fb959bda78cce061c883
Author: Bart Van Assche <email address hidden>
Date: Mon Aug 5 20:15:37 2019 -0700

    AgentX: Fix a use-after-free

    When calling snmp_async_send(), the callback function is called whether or
    not sending succeeds. Since the agentx_got_response() callback function
    frees the cache unconditionally, calling netsnmp_free_delegated_cache()
    explicitly after snmp_async_send() is wrong.

    See also https://sourceforge.net/p/net-snmp/bugs/2943/.

    Fixes: f9304c83f762 ("CHANGES: PATCH 1633670: fixed snmpd crashing when an AgentX subagent disconnect in the middle of processing of a request.") # v5.8.

b)
commit d73ebccfe45be49f70ab0a3f5dd298db78c99f6d
Author: Bart Van Assche <email address hidden>
Date: Thu May 16 13:48:03 2019 +0200

    AgentX: Fix two use-after-free issues

    snmp_add_full() frees the transport if it fails. This was detected by Coverity.

c)
commit 33f8e2e1d63ad5932ade885ffbff379cab1e50bd
Author: Shogo Matsumoto <email address hidden>
Date: Tue May 7 09:41:13 2019 +0900

    agent/mibgroup/agentx: Fix double free of delegated cache in agentx_got_response()

    If snmpd receives a response from subagent immediately after the agentx
    session closed, agentx_got_response() frees delegated cache twice.

    This patch changes return value of "response too late on session"
    in agentx_got_response function to make the caller of this function
    remove the request in order to prevent double free.

    See also https://sourceforge.net/p/net-snmp/patches/1392/.

    Signed-off-by: Shogo Matsumoto <email address hidden>
    [ bvanassche: added patch tracker URL ]

https://sourceforge.net/p/net-snmp/bugs/2943/#8085 claims that patch 1392 (33f8e2e1d63ad5932ade885ffbff379cab1e50bd) did not fix the issue.

https://sourceforge.net/p/net-snmp/patches/1400/#0e56 describes what could perhaps become the test case for this bug:
"""
BTW, a good regression test for this, and how I could reproduce it, would be to kill (-9) the subagent while we are polling it. In my case, I start walking 1.3.6.1.2.1.15 and kill the subagent (bgpd) while we are doing the walk.
"""