Menu

#1741 5.4 smux.c smux_snmp_process() causes crash in select()

smux
closed
nobody
agent (1105)
6
2012-11-08
2006-12-20
Thomas Anders
No

Copied from Bug 1527930 (already closed, but this issue remains):

1.) Function: smux_snmp_process
if the recv(..) function returns "-1"
the function smux_peer_cleanup will be called.
But the socket-discriptor in the sdlist from the snmpd.c
for the select-call will be not removed.
So select crash.

3.) Funktion: smux_snmp_process
...
size_t length = SMUXMAXPKTSIZE
...
length = recv(...) /* return -1, when an error occurs
...
if (length < 0) /* will never match */
error-handling

process packet
   ...crash \(if length == -1\)...

\----------------------
length is never < 0 because size\_t => unsigned int.
length must be "ssize\_t"

Rev. 5.21 of agent/mibgroup/smux/smux.c (as in net-snmp 5.4) has changed the size_t to int which seems to fix 3) but unhides 3) (which hasn't been addressed yet).

Please also see http://sourceforge.net/mailarchive/message.php?msg_id=37711297
for a related crash report.

Discussion

  • Thomas Anders

    Thomas Anders - 2006-12-20

    Logged In: YES
    user_id=848638
    Originator: YES

    ... unhides 1) (not 3), of course.

     

  • Hoemig

    Hoemig - 2007-03-08

    Logged In: YES
    user_id=1552812
    Originator: NO

    Hi Thomas,

    if you want, I send you a Patch-File for all the SMUX-BUGs (for net-snmp-5.3.0.1 from Bug 1527930).
    Every change is marked with:
    #if 1 /* AHG BUGFIX ...

    The Patch also contains a new SMUX-Select implementation.

    You can use it for 5.3.0.1 and 5.4.

    But how can I send you the patch :). I can't found a "ATTACH-FILE"-Button.

    On monday, I can read your answer.

    Bye,

    Alex

     

  • Thomas Anders

    Thomas Anders - 2007-03-08

    Logged In: YES
    user_id=848638
    Originator: YES

    Please submit the patch as a new patch tracker item on http://www.net-snmp.org/patches and post the patch number here.

     

  • Thomas Anders

    Thomas Anders - 2007-03-23

    Logged In: YES
    user_id=848638
    Originator: YES

    Thanks for the bug report!
    We've fixed the problem in the 5.4.x code branch
    and the main development tree, so it should be
    fixed in future releases of the Net-SNMP package.

     

  • Thomas Anders

    Thomas Anders - 2007-03-23

    Logged In: YES
    user_id=848638
    Originator: YES

    Fixed by applying patch 1678788 in SVN Rev. 15982.

     

Log in to post a comment.