net-snmp

Joshua,
Did you see explanations from *gurus*: Alex Ruzin &
Dave Shield ?
Did you try Alex's workaround ?
Let me know your opinion, please.

Regards, Ali

--- Joshua_Giles@... wrote:
> Ali,
> 
> I see the same problem with 4.2.3(with the same
> setup as you) after doing a
> "snmpwalk localhost public .1" It doesn't finish
> printing the tree;It only
> gets to:
> 
> $>system.sysORTable.sysOREntry.sysDRUptime.9 =
> (<representation of timeticks
> go 
> $>here>)
> $>Timeout: No response from localhost
> 
> I try a snmp(get/walk) I get a:
> 
> $>Timeout: No response from localhost
> 
> The daemon is still running.
> A look at the log indicates some sort of loop.
> 
> I imagine that this is not supposed to happen, when
> will this be fixed?
> 
> 
> 
> Joshua Giles
> ESG Systems Management Sr. Analyst
> Linux Operating System Development
> Joshua_Giles@...
> Linux website @ dell => http://www.dell.com/linux
> 
> 
> -----Original Message-----
> From: Ali Chanaui [mailto:ali_chanaui@...]
> Sent: Monday, February 25, 2002 4:10 AM
> To: Dave Shield; arozin@...
> Cc: SNMP coders
> Subject: Re: snmpgetnext security hole? was: Use of
> SNMPv1 resulted in a
> more secure Internet
> 
> 
> I have an apprehension: an attacker can use this
> behaviour to stick (or almost to stick) the SNMP
> daemon, can't he ?
> 
> Did you see Alex's reply ?
> How do you find his workaround ?
> 
> Regards, Ali
> 
> --- Dave Shield <D.T.Shield@...> wrote:
> > 
> > 
> > > But when I try to
> > > snmpgetnext -v1 <myIp> public public ifNumber.0
> > > - the agent sticks out; debugger shows, that, it
> > seems
> > > to me, in some infinite loop.
> > 
> > I suspect that if you wait long enough, the agent
> > *will* recover.
> > It's (probably) not an infinite loop - just a very
> > long one.
> > 
> > Basically, the agent is working its way through
> the
> > list of known
> > objects, trying to find the next one it's allowed
> to
> > return to you.
> > Since there isn't any such object, it will
> > eventually fail (and
> > return noSuchName or endOfMib)
> > 
> >   But in the meantime, your client has probably
> sent
> > a couple of
> > retransmissions (each of which the agent
> desperately
> > tries to handle
> > and fails), and given up in disgust - long before
> > the first response
> > comes back.
> > 
> >   Try it with a ridiculously long timeout - say 10
> > minutes - and see
> > if you actually get something back.
> > 
> > Dave
> > 
> > 
> > _______________________________________________
> > Net-snmp-coders mailing list
> > Net-snmp-coders@...
> >
>
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
> 
> _______________________________________________
> Net-snmp-coders mailing list
> Net-snmp-coders@...
>
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
> 
> _______________________________________________
> Net-snmp-coders mailing list
> Net-snmp-coders@...
>
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com

>>>>> On Mon, 25 Feb 2002 08:03:37 -0800 (PST), Ali Chanaui <ali_chanaui@...> said:

Ali> Did you try Alex's workaround ?

Ali> Let me know your opinion, please.

I suspect that Alex's solution will break in other (less simple) cases.

-- 
Wes Hardaker
Please mail all replies to net-snmp-coders@...

Joshua,

Sure, there may be a couple of such situations.
The explanation is in label "gaga" in snmp_vars.c:
When access is denied for some object and exact!=0
(that indicates GETNEXT operation), agent tries to
find *next* accessible object.
I advise you to comment line "gogo gaga;",
it helped me.

Ali
--- Joshua_Giles@... wrote:
> Ali,
> 
> I see the same problem with 4.2.3(with the same
> setup as you) after doing a
> "snmpwalk localhost public .1" It doesn't finish
> printing the tree;It only
> gets to:
> 
> $>system.sysORTable.sysOREntry.sysDRUptime.9 =
> (<representation of timeticks
> go 
> $>here>)
> $>Timeout: No response from localhost
> 
> I try a snmp(get/walk) I get a:
> 
> $>Timeout: No response from localhost
> 
> The daemon is still running.
> A look at the log indicates some sort of loop.
> 
> I imagine that this is not supposed to happen, when
> will this be fixed?
> 
> 
> 
> Joshua Giles
> ESG Systems Management Sr. Analyst
> Linux Operating System Development
> Joshua_Giles@...
> Linux website @ dell => http://www.dell.com/linux
> 
> 
> -----Original Message-----
> From: Ali Chanaui [mailto:ali_chanaui@...]
> Sent: Monday, February 25, 2002 4:10 AM
> To: Dave Shield; arozin@...
> Cc: SNMP coders
> Subject: Re: snmpgetnext security hole? was: Use of
> SNMPv1 resulted in a
> more secure Internet
> 
> 
> I have an apprehension: an attacker can use this
> behaviour to stick (or almost to stick) the SNMP
> daemon, can't he ?
> 
> Did you see Alex's reply ?
> How do you find his workaround ?
> 
> Regards, Ali
> 
> --- Dave Shield <D.T.Shield@...> wrote:
> > 
> > 
> > > But when I try to
> > > snmpgetnext -v1 <myIp> public public ifNumber.0
> > > - the agent sticks out; debugger shows, that, it
> > seems
> > > to me, in some infinite loop.
> > 
> > I suspect that if you wait long enough, the agent
> > *will* recover.
> > It's (probably) not an infinite loop - just a very
> > long one.
> > 
> > Basically, the agent is working its way through
> the
> > list of known
> > objects, trying to find the next one it's allowed
> to
> > return to you.
> > Since there isn't any such object, it will
> > eventually fail (and
> > return noSuchName or endOfMib)
> > 
> >   But in the meantime, your client has probably
> sent
> > a couple of
> > retransmissions (each of which the agent
> desperately
> > tries to handle
> > and fails), and given up in disgust - long before
> > the first response
> > comes back.
> > 
> >   Try it with a ridiculously long timeout - say 10
> > minutes - and see
> > if you actually get something back.
> > 
> > Dave
> > 
> > 
> > _______________________________________________
> > Net-snmp-coders mailing list
> > Net-snmp-coders@...
> >
>
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com
> 
> _______________________________________________
> Net-snmp-coders mailing list
> Net-snmp-coders@...
>
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com

Wes,
Would like to get me more details?
Which "less simple" situations do you speak about?
I am uneasy about security considerations, concerning
this effect.

Regards, Ali

--- Wes Hardaker <hardaker@...>
wrote:
> >>>>> On Mon, 25 Feb 2002 08:03:37 -0800 (PST), Ali
> Chanaui <ali_chanaui@...> said:
> 
> Ali> Did you try Alex's workaround ?
> 
> Ali> Let me know your opinion, please.
> 
> I suspect that Alex's solution will break in other
> (less simple) cases.
> 
> -- 
> Wes Hardaker
> Please mail all replies to
> net-snmp-coders@...
> 
> _______________________________________________
> Net-snmp-coders mailing list
> Net-snmp-coders@...
>
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com

>>>>> On Mon, 25 Feb 2002 22:51:30 -0800 (PST), Ali Chanaui <ali_chanaui@...> said:

Ali> Which "less simple" situations do you speak about?

Create a view where both the system group and the usmUserTable are
accessible, but nothing else.  I'm betting if you walk .1.3 you'll see
only one part of the legal mib tree.

-- 
Wes Hardaker
Please mail all replies to net-snmp-coders@...

Wes,

I don't see a "big deal" in such situation: for me,
if any *getnext* operation for some object fails (for
some reason, including permissions limitation), a
reguest has to be rejected at all.
Where is defined, that in described situation agent
must jump to another (next) accessible subtree ?

Thakx for your time, Ali

--- Wes Hardaker wrote:
Wes> >... On Mon, 25 Feb 2002 22:51:30 -0800 (PST),
Ali
Wes> Chanaui <ali_chanaui@...> said:
Wes> 
Wes> Ali> Which "less simple" situations do you speak
Wes> about?
Wes> 
Wes> Create a view where both the system group and the
Wes> usmUserTable are
Wes> accessible, but nothing else.  I'm betting if you
Wes> walk .1.3 you'll see
Wes> only one part of the legal mib tree.
Wes> 


__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com

Wes,

I checked - it is very strange, but we both made
mistake in the considertiong.
I allow read-only access to system ant to snmp only.
snmpwalk <...> .1 travels via both subtrees fine !
Now I will try to check it without "goto gaga"
commenting out.

Ali

--- Wes Hardaker <hardaker@...>
wrote:
> >>>>> On Mon, 25 Feb 2002 22:51:30 -0800 (PST), Ali
> Chanaui <ali_chanaui@...> said:
> 
> Ali> Which "less simple" situations do you speak
> about?
> 
> Create a view where both the system group and the
> usmUserTable are
> accessible, but nothing else.  I'm betting if you
> walk .1.3 you'll see
> only one part of the legal mib tree.
> 
> -- 
> Wes Hardaker
> Please mail all replies to
> net-snmp-coders@...
> 
> _______________________________________________
> Net-snmp-coders mailing list
> Net-snmp-coders@...
>
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders


__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com

Wes (and David),
I tried the same test in the original code;
Agent is dead (spin?) !
(I remind, that if "goto gaga" is commented out,
as Alex proposed, it works fine, travelling between
both subtrees).

Your comments ?

I'm worry that I don't have a relevant
your fix (see your
message below), i.e. this bug (sorry) had been
fixed only in CVS,
not in version 4.2.3; could you refer me to the
relevant place in the code, pls ?

Thanx 4 cooperation, Ali

 --- Wes Hardaker <hardaker@...>
wrote:
> Note that this problem you're speaking of is only a
> problem *if* the
> incoming request actually has a valid community
> name for part of the
> tree.  If they don't have a valid community
> name (try a random string
> of letters as an example) then you won't see
> this problem and the
> agent will not spin (it used to actually,
> but I fixed this a long time
> ago).




__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com

>>>>> On Wed, 27 Feb 2002 04:29:18 -0800 (PST), Ali Chanaui <ali_chanaui@...> said:

Ali> I don't see a "big deal" in such situation: for me, if any
Ali> *getnext* operation for some object fails (for some reason,
Ali> including permissions limitation), a reguest has to be rejected
Ali> at all.  Where is defined, that in described situation agent must
Ali> jump to another (next) accessible subtree ?

Ali,

Try the following:

com2sec acommunity default mycomm
group   mygroup v1 acommunity
view    all included .1.3.6.1.2.1.1.3
view    all included .1.3.6.1.2.1.1.6

Then do a getnext on sysContact.  If you get an end-of-mib, you've
borke how things *MUST* work according to the SNMP protocol.

(it's actually possible even the above will still work.  I'll leave
the exercise to the reader where the test is similar to the above, but
selects 2 non-sequential rows from a fully populated table but from a
single column)
-- 
Wes Hardaker
Please mail all replies to net-snmp-coders@...

Wes, Dave and Alex !

I worked hard to study the problem.
1. First of all the snmpd.conf Wes suggeted to use
com2sec acommunity default mycomm
group   mygroup v1 acommunity
view    all included .1.3.6.1.2.1.1.3
view    all included .1.3.6.1.2.1.1.6
doesn't allow any access :( (Why?)

I had to play with:
com2sec acommunity default mycommunity 
group mygroup v1 acommunity
access mygroup ""      any       noauth    exact 
systemview none   none
view systemview included .1.3.6.1.2.1.1.3
view systemview included .1.3.6.1.2.1.1.3
#view systemview included .1

2. As Alex writes "This effect (great delay) may be
seen only if the [MIB] tree is a large one" (and
it seems to be true), I deleted all our MIBs
implemenations.

3. Bellow is a results of my tests.

with gaga (original agent's code)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

~ >time snmpwalk localhost mycommunity .1
system.sysUpTime.0 = Timeticks: (6984) 0:01:09.84
system.sysLocation.0 = "Unknown"
End of MIB
0.310u 0.050s 0:00.56 64.2%	0+0k 0+0io 254pf+0w
~ >time snmpwalk localhost mycommunity system
system.sysUpTime.0 = Timeticks: (8366) 0:01:23.66
system.sysLocation.0 = "Unknown"
End of MIB
0.360u 0.020s 0:00.55 69.0%	0+0k 0+0io 254pf+0w
~ >time snmpgetnext localhost mycommunity sysDescr.0
system.sysUpTime.0 = Timeticks: (14577) 0:02:25.77
0.340u 0.030s 0:00.39 94.8%	0+0k 0+0io 253pf+0w
~ >time snmpgetnext localhost mycommunity sysUpTime.0
system.sysLocation.0 = "Unknown"
0.360u 0.000s 0:00.39 92.3%	0+0k 0+0io 253pf+0w
~ >time snmpgetnext localhost mycommunity sysContact.0
system.sysLocation.0 = "Unknown"
0.340u 0.030s 0:00.39 94.8%	0+0k 0+0io 253pf+0w
~ >time snmpgetnext localhost mycommunity
sysLocation.0
Error in packet.
Reason: (noSuchName) There is no such variable name in
this MIB.
Failed object: system.sysLocation.0

0.330u 0.040s 0:00.53 69.8%	0+0k 0+0io 251pf+0w

with "goto gaga;" commented out
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
~ >time snmpwalk localhost mycommunity .1
system.sysUpTime.0 = Timeticks: (2638) 0:00:26.38
system.sysLocation.0 = "Unknown"
End of MIB
0.370u 0.000s 0:00.54 68.5%	0+0k 0+0io 255pf+0w
~ >time snmpwalk localhost mycommunity .1
system.sysUpTime.0 = Timeticks: (3011) 0:00:30.11
system.sysLocation.0 = "Unknown"
End of MIB
0.350u 0.030s 0:00.54 70.3%	0+0k 0+0io 254pf+0w
~ >time snmpwalk localhost mycommunity system
system.sysUpTime.0 = Timeticks: (4413) 0:00:44.13
system.sysLocation.0 = "Unknown"
End of MIB
0.370u 0.000s 0:00.54 68.5%	0+0k 0+0io 254pf+0w
~ >time snmpgetnext localhost mycommunity sysDescr.0
system.sysUpTime.0 = Timeticks: (5980) 0:00:59.80
0.370u 0.000s 0:00.40 92.5%	0+0k 0+0io 253pf+0w
~ >time snmpgetnext localhost mycommunity sysUpTime.0
system.sysLocation.0 = "Unknown"
0.360u 0.000s 0:00.40 90.0%	0+0k 0+0io 253pf+0w
~ >time snmpgetnext localhost mycommunity sysContact.0
system.sysLocation.0 = "Unknown"
0.340u 0.030s 0:00.40 92.5%	0+0k 0+0io 253pf+0w
~ >time snmpgetnext localhost mycommunity
sysLocation.0
Error in packet.
Reason: (noSuchName) There is no such variable name in
this MIB.
Failed object: system.sysLocation.0

0.340u 0.030s 0:00.55 67.2%	0+0k 0+0io 251pf+0w

As it seems to me, "without 'gaga'" it works better
and there are no problems. At least I don't see.

So, I ask your permition to delete this "gaga".
Suggestion of Dave to move ourselves to 4.2.4.pre1 I
can't accept since we have to use only official
version (it makes one laugh, but I allowed to change
the official version).
Or: may you refer to relevant place of code in 4.2.3
and we (may be, me) will change it.

Thanks a lot for the cooperation.


--- Wes Hardaker <hardaker@...>
wrote:
> >>>>> On Wed, 27 Feb 2002 04:29:18 -0800 (PST), Ali
> Chanaui <ali_chanaui@...> said:
> 
> Ali> I don't see a "big deal" in such situation: for
> me, if any
> Ali> *getnext* operation for some object fails (for
> some reason,
> Ali> including permissions limitation), a reguest
> has to be rejected
> Ali> at all.  Where is defined, that in described
> situation agent must
> Ali> jump to another (next) accessible subtree ?
> 
> Ali,
> 
> Try the following:
> 
> com2sec acommunity default mycomm
> group   mygroup v1 acommunity
> view    all included .1.3.6.1.2.1.1.3
> view    all included .1.3.6.1.2.1.1.6
> 
> Then do a getnext on sysContact.  If you get an
> end-of-mib, you've
> borke how things *MUST* work according to the SNMP
> protocol.
> 
> (it's actually possible even the above will still
> work.  I'll leave
> the exercise to the reader where the test is similar
> to the above, but
> selects 2 non-sequential rows from a fully populated
> table but from a
> single column)
> -- 
> Wes Hardaker
> Please mail all replies to
> net-snmp-coders@...
> 
> _______________________________________________
> Net-snmp-coders mailing list
> Net-snmp-coders@...
>
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders


__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com