#2743 snmpd crashes when receiving a GetNext PDU with multiple Varbinds

[Michel Albert]

According to [RFC1157 - Section 4.1.3][1], it should be possible to send GetNext PDUs with multiple varbinds. If such a packet is sent to snmpd, the process crashes.

Unfortunately I'm having trouble creating a backtrace as the process is running in a docker container. Here's what I have available from information:

Steps to reproduce

Send the following packet to the snmpd process:

30 38 02 01 01 04 07 70  72 69 76 61 74 65 a1 2a   08.....private.*
02 04 57 e2 23 b5 02 01  00 02 01 00 30 1c 30 0c   ..W.#.......0.0.
06 08 2b 06 01 02 01 02  02 01 05 00 30 0c 06 08   ..+.........0...
2b 06 01 02 01 02 02 02  05 00                     +.........

The packet represents the following PDU:

Sequence
   Integer(1)
   OctetString(b'private')
   GetNextRequest
     Request ID: 1474438130
     Error Status: 0
     Error Index: 0
     Varbinds: 
         1.3.6.1.2.1.2.2.1: Null()
         1.3.6.1.2.1.2.2.2: Null()

Log Output from snmpd

Connection from UDP: [172.17.0.1]:41922->[172.17.0.2]:161
Received SNMP packet(s) from UDP: [172.17.0.1]:41922->[172.17.0.2]:161
netsnmp_assert (((void *)0) != tblreq_info) && (tblreq_info->colnum <= tad->tblreg_info->max_column) failed helpers/table_container.c:606 _data_lookup()

Debian Package Information

# dpkg -s snmpd
Package: snmpd
Status: install ok installed
Priority: optional
Section: net
Installed-Size: 171
Maintainer: Net-SNMP Packaging Team <pkg-net-snmp-devel@lists.alioth.debian.org>
Architecture: amd64
Source: net-snmp
Version: 5.7.2.1+dfsg-1
Depends: libc6 (>= 2.4), libsnmp30 (= 5.7.2.1+dfsg-1), debconf (>= 0.5) | debconf-2.0, adduser, debconf, lsb-base (>= 3.2-13), libsnmp-base
Suggests: snmptrapd
Conffiles:
 /etc/default/snmpd e98ef821440912aa84f28d397ce88b79
 /etc/init.d/snmpd 0f9c82d215e2e4b4b35400baec34a24d
 /etc/snmp/snmpd.conf 60b379aeb2134b268c53b5d3790d4560
Description: SNMP (Simple Network Management Protocol) agents
 The Simple Network Management Protocol (SNMP) provides a framework
 for the exchange of management information between agents (servers)
 and clients.
 .
 The Net-SNMP agent is a daemon which listens for incoming SNMP
 requests from clients and provides responses.
Homepage: http://net-snmp.sourceforge.net/

[Michel Albert]

Added the Dockerfile which I'm using for testing, including the snmpd.conf that goes along with it.

[Niels Baggesen]

It does not have any general problems with getnext of multiple oids. Tha snmptable app does that all the time.
Actually it seems that it will crash on just a getnext of 1.3.6.1.2.1.2.2.2 :-(

I have attached a patch that might fix it. Could you try that, please?

[Robert Story]

Niels, please don't apply that patch. while it might fix the issue, it masks the real problem. The issue is in table_helper_handler, which does detect that the second OID is out of range for the handler (run with -Dhelper:table and you'll see 'oid out of range'). But this case isn't properly handled. I'm looking into it.

[Robert Story]

fixed in 5.4-patches, 5.7-patches and master.

commit 7ffb8e25a0db851953155de91f0170e9bf8c457d
Author: Robert Story rstory@freesnmp.com
Date: Thu Oct 6 10:43:10 2016

CHANGES: BUG: 2743: snmpd crashes when receiving a GetNext PDU with multiple Varbinds

skip out-of-range varbinds when calling next handler

[Bill Fenner]

In https://sourceforge.net/p/net-snmp/bugs/2820/ we see a case that crashes with the same assert, even against 5.7-patches. Perhaps this fix was incomplete?

[Bill Fenner]

After re-doing my testing in a more controlled manner, I was wrong. I must have been testing 5.7.3 and not 5.7.3-patches when I thought that I had an instance where this bug still applied.