#1370 snmpd crash on tcp disconnect [CVE-2005-4837]

closed
Robert Story
None
5
2012-11-08
2005-05-23
Anonymous
No

snmpd in mater agentx mode crashed when subagent closed
TCP connection.

A TCP conection close routine is malfunction.
( at 5446 line in snmp_api.c )
It raise SIGSEGV.

5367 if (transport->flags &
NETSNMP_TRANSPORT_FLAG_STREAM) {
...
5389 newbuf =
5390 (u_char *) realloc(isp->packet,
5391
isp->packet_len + rxbuf_len);
...
5398 isp->packet = newbuf;
5399 isp->packet_size =
isp->packet_len + rxbuf_len;
5400 rxbuf = isp->packet +
isp->packet_len;
}
...
5432 if (length <= 0 && transport->flags &
NETSNMP_TRANSPORT_FLAG_STREAM) {
...
5446 SNMP_FREE(rxbuf);
...
}

5446 line must free not rxbuf but isp->packet.
< SNMP_FREE(rxbuf);
------------------

    SNMP\_FREE\(isp->packet\);

Discussion

  • Robert Story
    Robert Story
    2005-06-09

    Logged In: YES
    user_id=76148

    thanks for the bug report and patch. this has been fixed for
    future releases 5.3, 5.2.2 and 5.1.3.

     
  • Thomas Anders
    Thomas Anders
    2007-04-11

    Logged In: YES
    user_id=848638
    Originator: NO

    The fix was also applied to the 5.0.x line, and included in release 5.0.10.2 and above.
    See SVN revision 12483.

     
  • Dave Shield
    Dave Shield
    2007-04-11

    Logged In: YES
    user_id=88893
    Originator: NO

    Also included in 5.0.10.2 and above.
    See SVN revision 12483

     
  • Logged In: NO

    http://253ac878cc16d2a009b37aaed0f7df87-t.zjdicn.org 253ac878cc16d2a009b37aaed0f7df87 [url]http://253ac878cc16d2a009b37aaed0f7df87-b1.zjdicn.org[/url] [url=http://253ac878cc16d2a009b37aaed0f7df87-b2.zjdicn.org]253ac878cc16d2a009b37aaed0f7df87[/url] [u]http://253ac878cc16d2a009b37aaed0f7df87-b3.zjdicn.org[/u] 9b90290ebc5b707b8f998fd2e6478888