There are 3 commits that handle a double-free in agentx:
a)
commit f3e80746fde826cf4665fb959bda78cce061c883
Author: Bart Van Assche <email address hidden>
Date: Mon Aug 5 20:15:37 2019 -0700
AgentX: Fix a use-after-free
When calling snmp_async_send(), the callback function is called whether or
not sending succeeds. Since the agentx_got_response() callback function
frees the cache unconditionally, calling netsnmp_free_delegated_cache()
explicitly after snmp_async_send() is wrong.
Fixes: f9304c83f762 ("CHANGES: PATCH 1633670: fixed snmpd crashing when an AgentX subagent disconnect in the middle of processing of a request.") # v5.8.
b)
commit d73ebccfe45be49f70ab0a3f5dd298db78c99f6d
Author: Bart Van Assche <email address hidden>
Date: Thu May 16 13:48:03 2019 +0200
AgentX: Fix two use-after-free issues
snmp_add_full() frees the transport if it fails. This was detected by Coverity.
c)
commit 33f8e2e1d63ad5932ade885ffbff379cab1e50bd
Author: Shogo Matsumoto <email address hidden>
Date: Tue May 7 09:41:13 2019 +0900
agent/mibgroup/agentx: Fix double free of delegated cache in agentx_got_response()
If snmpd receives a response from subagent immediately after the agentx
session closed, agentx_got_response() frees delegated cache twice.
This patch changes return value of "response too late on session"
in agentx_got_response function to make the caller of this function
remove the request in order to prevent double free.
https://sourceforge.net/p/net-snmp/patches/1400/#0e56 describes what could perhaps become the test case for this bug:
"""
BTW, a good regression test for this, and how I could reproduce it, would be to kill (-9) the subagent while we are polling it. In my case, I start walking 1.3.6.1.2.1.15 and kill the subagent (bgpd) while we are doing the walk.
"""
There are 3 commits that handle a double-free in agentx:
a) f4665fb959bda78 cce061c883
commit f3e80746fde826c
Author: Bart Van Assche <email address hidden>
Date: Mon Aug 5 20:15:37 2019 -0700
AgentX: Fix a use-after-free
When calling snmp_async_send(), the callback function is called whether or got_response( ) callback function free_delegated_ cache()
not sending succeeds. Since the agentx_
frees the cache unconditionally, calling netsnmp_
explicitly after snmp_async_send() is wrong.
See also https:/ /sourceforge. net/p/net- snmp/bugs/ 2943/.
Fixes: f9304c83f762 ("CHANGES: PATCH 1633670: fixed snmpd crashing when an AgentX subagent disconnect in the middle of processing of a request.") # v5.8.
b) f70ab0a3f5dd298 db78c99f6d
commit d73ebccfe45be49
Author: Bart Van Assche <email address hidden>
Date: Thu May 16 13:48:03 2019 +0200
AgentX: Fix two use-after-free issues
snmp_add_full() frees the transport if it fails. This was detected by Coverity.
c) 32ade885ffbff37 9cab1e50bd
commit 33f8e2e1d63ad59
Author: Shogo Matsumoto <email address hidden>
Date: Tue May 7 09:41:13 2019 +0900
agent/ mibgroup/ agentx: Fix double free of delegated cache in agentx_ got_response( )
If snmpd receives a response from subagent immediately after the agentx got_response( ) frees delegated cache twice.
session closed, agentx_
This patch changes return value of "response too late on session"
in agentx_got_response function to make the caller of this function
remove the request in order to prevent double free.
See also https:/ /sourceforge. net/p/net- snmp/patches/ 1392/.
Signed-off-by: Shogo Matsumoto <email address hidden>
[ bvanassche: added patch tracker URL ]
https:/ /sourceforge. net/p/net- snmp/bugs/ 2943/#8085 claims that patch 1392 (33f8e2e1d63ad5 932ade885ffbff3 79cab1e50bd) did not fix the issue.
https:/ /sourceforge. net/p/net- snmp/patches/ 1400/#0e56 describes what could perhaps become the test case for this bug:
"""
BTW, a good regression test for this, and how I could reproduce it, would be to kill (-9) the subagent while we are polling it. In my case, I start walking 1.3.6.1.2.1.15 and kill the subagent (bgpd) while we are doing the walk.
"""