Date: Sat, 18 Sep 2021 10:58:00 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 258570] bsnmpwalk can crash due to bug in snmp_parse_resp() Message-ID: <bug-258570-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D258570 Bug ID: 258570 Summary: bsnmpwalk can crash due to bug in snmp_parse_resp() Product: Base System Version: 13.0-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Attachment #227978 text/plain mime type: Created attachment 227978 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D227978&action= =3Dedit Fake snmp server to demonstrate bsnmpwalk crash. snmp_parse_resp() in libbsnmptools contains: if (resp->error_status =3D=3D SNMP_ERR_NOSUCHNAME) { warnx("Error - No Such Name"); return (0); } It should be return(-1). If the name is bad, the return 0 will cause bsnmpwalk to continue with an unchecked reply, so (for example) if resp.nbindings is zero or huge, this line will generate a wild pointer: snmpwalk_nextpdu_create(op, &(resp.bindings[resp.nbindings - 1].var), &req); The attached fake snmp server demonstrates the problem: % cc bsnmpwalk1.c % ./a.out & waiting on port 1610 for a request % bsnmpwalk -s localhost:1610 SNMP: ignoring trailing junk in message bsnmpwalk: Error - No Such Name Bus error (core dumped) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-258570-227>