Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#2347 Mismatched packet causes proxy to crash

proxy-override-etc
pending
nobody
apps (205)
5
2013-01-25
2012-03-08
No

Send a packet with two OID from a client to server via the SNMPd proxy (any OS, current revision) Send back a packet with only one OID, value pair.

Expected behavior: Proxy logs an error (it is an invalid packet)
Actual behavior: Proxy logs error, crashes and dies

Purging address from address cache: UDP: [192.168.21.133]:56657Received SNMP packet(s) from UDP: [192.168.21.220]:40684
GET message
-- SNMPv2-SMI::enterprises.31533.1.15.22.0
-- SNMPv2-SMI::enterprises.3495.1.3.1.7.0
-- SNMPv2-SMI::enterprises.31533.1.4.4.0
-- SNMPv2-SMI::enterprises.3495.1.3.1.2.0
-- SNMPv2-SMI::enterprises.31533.1.15.23.0
-- UCD-SNMP-MIB::ssCpuRawNice.0
-- UCD-SNMP-MIB::dskAvail.1
-- UCD-SNMP-MIB::dskUsed.1
-- UCD-SNMP-MIB::memCached.0
-- UCD-SNMP-MIB::ssCpuRawSystem.0

Sending 65 bytes to UDP: [127.0.0.1]:1161
0000: 30 3F 02 01 01 04 06 6D 72 6F 75 6E 64 A0 32 02 0?.....mround.2.
0016: 04 0F 44 2B DB 02 01 00 02 01 00 30 24 30 10 06 ..D+.......0$0..
0032: 0C 2B 06 01 04 01 81 F6 2D 01 0F 16 00 05 00 30 .+......-......0
0048: 10 06 0C 2B 06 01 04 01 81 F6 2D 01 0F 17 00 05 ...+......-.....
0064: 00 .

Sending 65 bytes to UDP: [127.0.0.1]:3401
0000: 30 3F 02 01 00 04 06 6D 72 6F 75 6E 64 A0 32 02 0?.....mround.2.
0016: 04 0F 44 2B DC 02 01 00 02 01 00 30 24 30 10 06 ..D+.......0$0..
0032: 0C 2B 06 01 04 01 9B 27 01 03 01 07 00 05 00 30 .+.....'.......0
0048: 10 06 0C 2B 06 01 04 01 9B 27 01 03 01 02 00 05 ...+.....'......
0064: 00 .

Received 82 bytes from UDP: [127.0.0.1]:3401
0000: 30 82 00 4E 02 01 00 04 06 6D 72 6F 75 6E 64 A2 0..N.....mround.
0016: 82 00 3F 02 04 0F 44 2B DC 02 01 00 02 01 00 30 ..?...D+.......0
0032: 82 00 2F 30 82 00 13 06 0C 2B 06 01 04 01 9B 27 ../0.....+.....'
0048: 01 03 01 07 00 42 03 00 93 98 30 82 00 14 06 0C .....B....0.....
0064: 2B 06 01 04 01 9B 27 01 03 01 02 00 41 04 01 40 +.....'.....A..@
0080: 23 EA #.

Received 50 bytes from UDP: [127.0.0.1]:1161
0000: 30 30 02 01 01 04 06 6D 72 6F 75 6E 64 A2 23 02 00.....mround.#.
0016: 04 0F 44 2B DB 02 01 00 02 01 00 30 15 30 13 06 ..D+.......0.0..
0032: 0C 2B 06 01 04 01 81 F6 2D 01 0F 16 00 02 03 01 .+......-.......
0048: 32 58 2X

response to proxy request illegal. We're screwed.
*** glibc detected *** /usr/sbin/snmpd: double free or corruption (!prev): 0x0a053e10 ***
======= Backtrace: =========
/lib/libc.so.6[0x9b25a5]
/lib/libc.so.6(cfree+0x59)[0x9b29e9]
/usr/lib/libnetsnmp.so.10(snmp_free_pdu+0xfe)[0x19258e]
/usr/lib/libnetsnmp.so.10[0x19d5a5]
/usr/lib/libnetsnmp.so.10(_sess_read+0x590)[0x19e8c0]
/usr/lib/libnetsnmp.so.10(snmp_sess_read+0x29)[0x19f7b9]
/usr/lib/libnetsnmp.so.10(snmp_read+0x2f)[0x19f80f]
/usr/sbin/snmpd(main+0x2001)[0x5fca31]
/lib/libc.so.6(__libc_start_main+0xdc)[0x95ee9c]
/usr/sbin/snmpd[0x5fa5b1]
======= Memory map: ========
00110000-00157000 r-xp 00000000 08:05 132545 /usr/lib/libnetsnmpagent.so.10.0.3
00157000-00159000 rw-p 00046000 08:05 132545 /usr/lib/libnetsnmpagent.so.10.0.3
00159000-00160000 r-xp 00000000 08:03 117085 /lib/libwrap.so.0.7.6
00160000-00161000 rw-p 00007000 08:03 117085 /lib/libwrap.so.0.7.6
00161000-001f9000 r-xp 00000000 08:05 138363 /usr/lib/libnetsnmp.so.10.0.3
001f9000-001fb000 rw-p 00098000 08:05 138363 /usr/lib/libnetsnmp.so.10.0.3
001fb000-0021a000 rw-p 001fb000 00:00 0
0021a000-0022f000 r-xp 00000000 08:05 138344 /usr/lib/libsensors.so.3.1.6
0022f000-00251000 rw-p 00015000 08:05 138344 /usr/lib/libsensors.so.3.1.6
00251000-00252000 rw-p 00251000 00:00 0
00252000-0025b000 r-xp 00000000 08:03 117063 /lib/libcrypt-2.5.so
0025b000-0025c000 r--p 00008000 08:03 117063 /lib/libcrypt-2.5.so
0025c000-0025d000 rw-p 00009000 08:03 117063 /lib/libcrypt-2.5.so
0025d000-00284000 rw-p 0025d000 00:00 0
00284000-00298000 r-xp 00000000 08:03 119489 /lib/libpthread-2.5.so
00298000-00299000 r--p 00013000 08:03 119489 /lib/libpthread-2.5.so
00299000-0029a000 rw-p 00014000 08:03 119489 /lib/libpthread-2.5.so
0029a000-0029c000 rw-p 0029a000 00:00 0
0029c000-002b2000 r-xp 00000000 08:03 117257 /lib/libselinux.so.1
002b2000-002b4000 rw-p 00015000 08:03 117257 /lib/libselinux.so.1
002b5000-00430000 r-xp 00000000 08:05 133964 /usr/lib/libnetsnmpmibs.so.10.0.3
00430000-00439000 rw-p 0017a000 08:05 133964 /usr/lib/libnetsnmpmibs.so.10.0.3
00439000-00468000 rw-p 00439000 00:00 0
00468000-00592000 r-xp 00000000 08:03 117272 /lib/libcrypto.so.0.9.8e
00592000-005a5000 rw-p 00129000 08:03 117272 /lib/libcrypto.so.0.9.8e
005a5000-005a9000 rw-p 005a5000 00:00 0
005a9000-005be000 r-xp 00000000 08:05 138357 /usr/lib/libnssutil3.so
005be000-005c1000 rw-p 00015000 08:05 138357 /usr/lib/libnssutil3.so
005c1000-005c3000 r-xp 00000000 08:05 138356 /usr/lib/libplds4.so
005c3000-005c4000 rw-p 00002000 08:05 138356 /usr/lib/libplds4.so
005c4000-005cb000 r-xp 00000000 08:03 119490 /lib/librt-2.5.so
005cb000-005cc000 r--p 00006000 08:03 119490 /lib/librt-2.5.so
005cc000-005cd000 rw-p 00007000 08:03 119490 /lib/librt-2.5.so
005cd000-005d8000 r-xp 00000000 08:03 119492 /lib/libgcc_s-4.1.2-20080825.so.1
005d8000-005d9000 rw-p 0000a000 08:03 119492 /lib/libgcc_s-4.1.2-20080825.so.1
005d9000-005e3000 r-xp 00000000 08:05 137604 /usr/lib/libsysfs.so.2.0.0
005e3000-005e4000 rw-p 00009000 08:05 137604 /usr/lib/libsysfs.so.2.0.0
005e4000-005ed000 r-xp 00000000 08:03 117033 /lib/libnss_files-2.5.so
005ed000-005ee000 r--p 00008000 08:03 117033 /lib/libnss_files-2.5.so
005ee000-005ef000 rw-p 00009000 08:03 117033 /lib/libnss_files-2.5.so
005ef000-005f3000 r-xp 00000000 08:03 117031 /lib/libnss_dns-2.5.so
005f3000-005f4000 r--p 00003000 08:03 117031 /lib/libnss_dns-2.5.so
005f4000-005f5000 rw-p 00004000 08:03 117031 /lib/libnss_dns-2.5.so
005f8000-005ff000 r-xp 00000000 08:05 483436 /usr/sbin/snmpd
005ff000-00600000 rw-p 00006000 08:05 483436 /usr/sbin/snmpd
00600000-0072b000 r-xp 00000000 08:05 138343 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
0072b000-00730000 rw-p 0012a000 08:05 138343 /usr/lib/perl5/5.8.8/i386-linux-thread-multi/CORE/libperl.so
00730000-00732000 rw-p 00730000 00:00 0
00732000-00768000 r-xp 00000000 08:05 137591 /usr/lib/libnspr4.so
00768000-00769000 rw-p 00036000 08:05 137591 /usr/lib/libnspr4.so
00769000-0076b000 rw-p 00769000 00:00 0
0076b000-007c8000 r-xp 00000000 08:05 138330 /usr/lib/libsqlite3.so.0.8.6
007c8000-007ca000 rw-p 0005d000 08:05 138330 /usr/lib/libsqlite3.so.0.8.6
007ca000-007df000 r-xp 00000000 08:05 138331 /usr/lib/libelf-0.137.so
007df000-007e1000 rw-p 00014000 08:05 138331 /usr/lib/libelf-0.137.so
00811000-0086c000 r-xp 00000000 08:05 138361 /usr/lib/librpm-4.4.so
0086c000-00870000 rw-p 0005a000 08:05 138361 /usr/lib/librpm-4.4.so
00870000-008a2000 rw-p 00870000 00:00 0
008c4000-008e9000 r-xp 00000000 08:03 119483 /lib/libm-2.5.so
008e9000-008ea000 r--p 00024000 08:03 119483 /lib/libm-2.5.so
008ea000-008eb000 rw-p 00025000 08:03 119483 /lib/libm-2.5.so
008eb000-00925000 r-xp 00000000 08:05 132056 /usr/lib/libfreebl3.so
00925000-00926000 rw-p 00039000 08:05 132056 /usr/lib/libfreebl3.so
0092d000-00947000 r-xp 00000000 08:03 119479 /lib/ld-2.5.so
00947000-00948000 r--p 00019000 08:03 119479 /lib/ld-2.5.so
00948000-00949000 rw-p 0001a000 08:03 119479 /lib/ld-2.5.so
00949000-00a88000 r-xp 00000000 08:03 119480 /lib/libc-2.5.so
00a88000-00a89000 ---p 0013f000 08:03 119480 /lib/libc-2.5.so
00a89000-00a8b000 r--p 0013f000 08:03 119480 /lib/libc-2.5.so
00a8b000-00a8c000 rw-p 00141000 08:03 119480 /lib/libc-2.5.so
00a8c000-00a8f000 rw-p 00a8c000 00:00 0
00a8f000-00aca000 r-xp 00000000 08:03 119487 /lib/libsepol.so.1
00aca000-00acb000 rw-p 0003b000 08:03 119487 /lib/libsepol.so.1
00acb000-00ad5000 rw-p 00acb000 00:00 0
00ad5000-00b27000 r-xp 00000000 08:05 132061 /usr/lib/libsoftokn3.so
00b27000-00b2b000 rw-p 00051000 08:05 132061 /usr/lib/libsoftokn3.so
00b5a000-00b61000 r-xp 00000000 08:05 133716 /usr/lib/libpopt.so.0.0.0
00b61000-00b62000 rw-p 00006000 08:05 133716 /usr/lib/libpopt.so.0.0.0
00b6c000-00bcb000 r-xp 00000000 08:05 138359 /usr/lib/librpmio-4.4.so
00bcb000-00bce000 rw-p 0005e000 08:05 138359 /usr/lib/librpmio-4.4.so
00bce000-00bf0000 rw-p 00bce000 00:00 0
00c10000-00c23000 r-xp 00000000 08:03 117177 /lib/libnsl-2.5.so
00c23000-00c24000 r--p 00012000 08:03 117177 /lib/libnsl-2.5.so
00c24000-00c25000 rw-p 00013000 08:03 117177 /lib/libnsl-2.5.so
00c25000-00c27000 rw-p 00c25000 00:00 0
00c52000-00c61000 r-xp 00000000 08:03 117187 /lib/libresolv-2.5.so
00c61000-00c62000 r--p 0000e000 08:03 117187 /lib/libresolv-2.5.so
00c62000-00c63000 rw-p 0000f000 08:03 117187 /lib/libresolv-2.5.so
00c63000-00c65000 rw-p 00c63000 00:00 0
00c71000-00c74000 r-xp 00000000 08:05 138355 /usr/lib/libplc4.so
00c74000-00c75000 rw-p 00003000 08:05 138355 /usr/lib/libplc4.so
00c8b000-00c8c000 r-xp 00c8b000 00:00 0 [vdso]
00c8c000-00d9f000 r-xp 00000000 08:05 138360 /usr/lib/librpmdb-4.4.so
00d9f000-00da3000 rw-p 00112000 08:05 138360 /usr/lib/librpmdb-4.4.so
00da3000-00da4000 rw-p 00da3000 00:00 0
00e2e000-00e40000 r-xp 00000000 08:05 133714 /usr/lib/libz.so.1.2.3
00e40000-00e41000 rw-p 00011000 08:05 133714 /usr/lib/libz.so.1.2.3
00e60000-00e70000 r-xp 00000000 08:05 138328 /usr/lib/libbz2.so.1.0.3
00e70000-00e71000 rw-p 00010000 08:05 138328 /usr/lib/libbz2.so.1.0.3
00e81000-00e83000 r-xp 00000000 08:03 117078 /lib/libdl-2.5.so
00e83000-00e84000 r--p 00001000 08:03 117078 /lib/libdl-2.5.so
00e84000-00e85000 rw-p 00002000 08:03 117078 /lib/libdl-2.5.so
00ed1000-00ef2000 r-xp 00000000 08:05 133737 /usr/lib/libnetsnmphelpers.so.10.0.3
00ef2000-00ef3000 rw-p 00021000 08:05 133737 /usr/lib/libnetsnmphelpers.so.10.0.3
00fe2000-00fe4000 r-xp 00000000 08:03 119502 /lib/libutil-2.5.so
00fe4000-00fe5000 r--p 00001000 08:03 119502 /lib/libutil-2.5.so
00fe5000-00fe6000 rw-p 00002000 08:03 119502 /lib/libutil-2.5.so
00fe6000-01105000 r-xp 00000000 08:05 138358 /usr/lib/libnss3.so
01105000-01109000 rw-p 0011e000 08:05 138358 /usr/lib/libnss3.so
01109000-0110a000 rw-p 01109000 00:00 0
09e70000-0a083000 rw-p 09e70000 00:00 0 [heap]
b73e3000-b73ea000 r--s 00000000 08:05 132026 /usr/lib/gconv/gconv-modules.cache
b73ea000-b75ea000 r--p 00000000 08:05 131778 /usr/lib/locale/locale-archive
b75ea000-b75eb000 ---p b75ea000 00:00 0
b75eb000-b7ff3000 rw-p b75eb000 00:00 0
b7ffa000-b7ffd000 rw-p b7ffa000 00:00 0
bfc5e000-bfcb3000 rw-p bffaa000 00:00 0 [stack]
Aborted

Discussion

  • bart
    bart
    2012-03-08

    And what does "current revision" mean ? We need a version number or git commit ID instead.