From: SourceForge.net <no...@so...> - 2004-04-26 07:16:40
|
Bugs item #939832, was opened at 2004-04-22 09:12 Message generated for change (Comment added) made by hgerstung You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=112694&aid=939832&group_id=12694 Category: apps Group: None Status: Open Resolution: None Priority: 4 Submitted By: Heiko (hgerstung) Assigned to: Nobody/Anonymous (nobody) Summary: segfault in snmpget and snmpwalk Initial Comment: I try to build a snmp agent for one of our embedded devices. Whenever I try to snmpget something from this device, the snmpget app (and snmpwalk, too) aborts with a segmentation fault. As I am in an early stage of development, I am aware that my implementation is buggy (I am sure it is), but I understand that snmpget should not segfault when receiving an invalid reply from an agent. ---------------------------------------------------------------------- >Comment By: Heiko (hgerstung) Date: 2004-04-26 09:16 Message: Logged In: YES user_id=1009520 Sorry, did not fix the problem. As far as I can see, the response-errstat variable has address 0x0, when the line if (response->errstat == SNMP_ERR_NOERROR) { is executed, leading to a segfault because of this invalid address. I guess this happens in the snmp_synch_response() call two lines earlier. Next try, please :-) Kind regards, Heiko ---------------------------------------------------------------------- Comment By: Dave Shield (dts12) Date: 2004-04-23 13:48 Message: Logged In: YES user_id=88893 Good catch. Can you try the following patch (with the "broken" agent) and see whether it fixes the problem: --- snmp_client.c 9 Mar 2004 15:10:21 -0000 5.5 +++ snmp_client.c 23 Apr 2004 11:45:27 -0000 @@ -185,8 +185,13 @@ * clone the pdu to return to snmp_synch_response */ state->pdu = snmp_clone_pdu(pdu); - state->status = STAT_SUCCESS; - session->s_snmp_errno = SNMPERR_SUCCESS; + if (state->pdu) { + state->status = STAT_SUCCESS; + session->s_snmp_errno = SNMPERR_SUCCESS; + } else { + state->status = STAT_ERROR; + session->s_snmp_errno = SNMPERR_ABORT; + } } } else if (op == NETSNMP_CALLBACK_OP_TIMED_OUT) { state->pdu = NULL; The alternative approach would be to check the 'response' pointer before dereferencing it, but it would be less confusing if a return of STAT_SUCCESS wasn't accompanied by a null response! ---------------------------------------------------------------------- Comment By: Heiko (hgerstung) Date: 2004-04-23 10:48 Message: Logged In: YES user_id=1009520 Catched the packet with Ethereal and found out that my agent altered the incoming community string by adding a 0x00h (string termination) to it, thus overwriting the first byte of the PDU type. This leads to a damaged snmp packet and to the described segmentation fault. My suggestion would be to check the response and reject the packet instead of segfaulting. For me it's ok, because I fixed my agent not to send those bad packets anymore, but I guess it would be good to harden the snmpget routines against bad packets, if possible. Regards, Heiko ---------------------------------------------------------------------- Comment By: Heiko (hgerstung) Date: 2004-04-22 11:03 Message: Logged In: YES user_id=1009520 I traced this with DDD, the snmpwalk app (V5.1.1) crashes in main with SEGFAULT at the mark (==>), it looks like response is overwritten with a 0 value (0x0) in snmp_synch_response ... ----<cut here>------------snmpwalk.c----------function main---------- /* * do the request */ status = snmp_synch_response(ss, pdu, &response); if (status == STAT_SUCCESS) { ==> if (response->errstat == SNMP_ERR_NOERROR) { /* * check resulting variables */ for (vars = response->variables; vars; vars = vars->next_variable) { ----<cut here>------------snmpwalk.c----------function main---------- Hope this helps. I tried it with UCD snmp and it did not crash (but timed out and did not receive a reply from my device, but this I guess is related to my unfinished implementation). I would appreciate the debugging functions of net-snmp in this case, so I hope someone can fix this soon ;-) ---------------------------------------------------------------------- Comment By: Heiko (hgerstung) Date: 2004-04-22 09:13 Message: Logged In: YES user_id=1009520 I forgot - I tried this with net-snmp 5.1 and a fresh download of 5.1.1 (yesterday). ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=112694&aid=939832&group_id=12694 |