Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 79028 - SEGV in Net-SNMP
Summary: SEGV in Net-SNMP
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: net-snmp
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Phil Knirsch
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-04 18:01 UTC by Need Real Name
Modified: 2015-03-05 01:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-12-19 09:00:31 UTC


Attachments (Terms of Use)

Description Need Real Name 2002-12-04 18:01:07 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021127

Description of problem:
There is an off-by-one error in the SNMP agent's source code. Anyone who can
make a GET request to the server can crash it.

Version-Release number of selected component (if applicable):
5.0.1

How reproducible:
Always

Steps to Reproduce:
N/A

Actual Results:  N/A

Expected Results:  N/A

Additional info:

Around agent/snmpd_agent.c:1490 where the agent grows its cache, it memsets all
but the last element in the expanded array to 0x00.

To fix it, change line 1490 from
    sizeof(netsnmp_tree_cache) * (CACHE_GROW_SIZE - 1));
to
    sizeof(netsnmp_tree_cache) * CACHE_GROW_SIZE );

This problem is also present in Net-SNMP 5.0.6, although the line moved down
around 1581.

Contact me if you need a demonstration program that can reliably crash snmpd.

Comment 1 Mark J. Cox 2002-12-05 08:09:48 UTC
Is this a known public issue (has it been reported to Net-SNMP folks)?  Any
references or details about how this was reported and when would help us with
any erratum.

Comment 2 Need Real Name 2002-12-05 15:33:24 UTC
I added it to the Net-SNMP bug tracker yesterday. It's number is 648515. Wes
Hardaker says a fix was already in the CVS tree and it will be in the
forthcoming 5.0.7 release.

Here's a link to the Sourceforge bug:
https://sourceforge.net/tracker/?func=detail&atid=112694&aid=648515&group_id=12694

Comment 3 Alan Cox 2002-12-18 18:42:24 UTC
Mark is this fixed in the latest snmp we pushed if so can you close it

Alan the bugzilla womble


Comment 4 Mark J. Cox 2002-12-19 09:00:31 UTC
Yes, fixed by erratum
http://rhn.redhat.com/errata/RHSA-2002-228.html

(This bug should have got automatically updated when the erratum was pushed,
will look into this as a process problem).


Note You need to log in before you can comment on or make changes to this bug.