Bug#323038: [PATCH] snmpd segfault in IP-MIB

Sun, 14 Aug 2005 07:49:13 -0700 

tags 323038 + patch
thanks

Hi,

So, this segfault is obviously caused by a double-free, as the pointer
passed to free() is, indeed, a valid pointer.

snmpd crashes at this point:
.1.3.6.1.2.1.4.35.1.4.1.4.4.10.0.1.1 = Hex-STRING: 00 C1 97 AB AA 2A

So the crash happens after querying the very first object of
.1.3.6.1.2.1.4.35.1.4.*, when the data structure gets freed. As the
pointer is a valid pointer, the problem lies when the structure is
created/populated.

This is handled in
agent/mibgroup/ip-mib/inetNetToMediaTable/inetNetToMediaTable.c
(surprise, surprise, this IP-MIB code is definitely buggy as hell).

   311  int
   312  inetNetToMediaPhysAddress_get(inetNetToMediaTable_rowreq_ctx * 
rowreq_ctx,

   ...

   327      (*inetNetToMediaPhysAddress_val_ptr_ptr) =
   328          rowreq_ctx->data->arp_physaddress;

   ...

The Hex-STRING looks very much like a MAC address, and it indeed
is. This is where the data structure is populated with the MAC address
string.

It relies on the query context, and chances are this context gets
freed automagically by something else before the data structure gets
freed (I don't remember the magic of snmpd query contexts -- but the
context gets freed before the data structure for sure).


Proposed patch attached; I think it's correct, but please discuss the
problem with upstream. They may have a better way to fix this.


And get them to do a full review of the IP-MIB code, looks like it's
needed.

JB.

-- 
 Julien BLACHE - Debian & GNU/Linux Developer - <[EMAIL PROTECTED]> 
 
 Public key available on <http://www.jblache.org> - KeyID: F5D6 5169 
 GPG Fingerprint : 935A 79F1 C8B3 3521 FD62 7CC7 CD61 4FD7 F5D6 5169 


--- net-snmp-5.2.1.2.orig/agent/mibgroup/ip-mib/inetNetToMediaTable/inetNetToMediaTable.c
+++ net-snmp-5.2.1.2/agent/mibgroup/ip-mib/inetNetToMediaTable/inetNetToMediaTable.c
@@ -375,7 +375,7 @@
      * set (* inetNetToMediaPhysAddress_val_ptr_ptr ) and (* inetNetToMediaPhysAddress_val_ptr_len_ptr ) from rowreq_ctx->data
      */
     (*inetNetToMediaPhysAddress_val_ptr_ptr) =
-        rowreq_ctx->data->arp_physaddress;
+      strdup(rowreq_ctx->data->arp_physaddress);
     (*inetNetToMediaPhysAddress_val_ptr_len_ptr) =
         rowreq_ctx->data->arp_physaddress_len;

Reply via email to