[Net-snmp-bugs] [Bug #121756] 4.2.pre1: bus error in MDsign (SNMPv3/authType MD5)

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Bug #121756, was updated on 2000-Nov-06 01:54
Here is a current snapshot of the bug.

Project: net-snmp
Category: library
Status: Open
Resolution: None
Bug Group: None
Priority: 5
Summary: 4.2.pre1: bus error in MDsign (SNMPv3/authType MD5)

Details: I have configured the UCD SNMP tools so that they use SNMPv3 with securityLevel authNoPriv and authType MD5 by default.  Now I find that when I use the snmp... tools, they usually dump core with a bus error when computing the MD5 hash to sign request messages.

I assume that the reason for this is as follows:

The MD5 code used in UCD-SNMP uses 32-bit operations and requires that the plaintext buffer on which it operates be aligned to word boundaries.

In former times, when BER-encoding proceeded from left to right, this was always the case.  But now that the BER is written from the end, it is quite likely (P = 0.75) that the start of the BER-encoded message does *not* fall on a word boundary.

Proposed solution:

It would be nice if the MD5 code could be modified so that it doesn't have the word alignment requirement anymore.  However since MD5 is so 32-bit oriented this might be difficult.  So I think the easiest way around the problem would be to move the BER-encoded message backwards to the closest word boundary if (1.) the authType/privType encoding method requires that and (2.) the message doesn't already happen to be aligned correctly.

(gdb) r eg1 cpmCPUTotal5min
Starting program: /usr/local/bin/snmpbulkwalk eg1 cpmCPUTotal5min

Program received signal SIGBUS, Bus error.
MDreverse (X=0xffbee701) at md5.c:152
152         revx; revx; revx; revx; revx; revx; revx; revx;
(gdb) where
#0  MDreverse (X=0xffbee701) at md5.c:152
#1  0xff3559d8 in MDblock (MDp=0xffbebb90, X=0xffbee701) at md5.c:168
#2  0xff35668c in MDupdate (MDp=0xffbebb90, 
    X=0xffbee701 "0}\002\001\0030\020\002\004\022¶:·\002\002\005À\004\001\005\002\001\003\00400.\004\f", 
    count=512) at md5.c:294
#3  0xff356948 in MDsign (
    data=0xffbee701 "0}\002\001\0030\020\002\004\022¶:·\002\002\005À\004\001\005\002\001\003\00400.\004\f", 
    len=127, mac=0x14bdb0 "", maclen=12, 
    secret=0xffbee701 "0}\002\001\0030\020\002\004\022¶:·\002\002\005À\004\001\005\002\001\003\00400.\004\f", 
    secretlen=4290689936) at md5.c:404
#4  0xff3675b0 in sc_generate_keyed_hash (authtype=0x13f248, authtypelen=10, 
    key=0x144100 "ôN\030·\177\0033a*Ð\031\a²}?5", keylen=16, 
    message=0xffbee701 "0}\002\001\0030\020\002\004\022¶:·\002\002\005À\004\001\005\002\001\003\00400.\004\f", 
    msglen=127, MAC=0x14bdb0 "", maclen=0xffbebecc) at scapi.c:271
#5  0xff362608 in usm_rgenerate_out_msg (msgProcModel=-4266240, 
    globalData=0xffbec587 "\002\001\0030\020\002\004\022¶:·\002\002\005À\004\001\005\002\001\003", 
    globalDataLen=21, maxMsgSize=-4274324, secModel=54, secEngineID=0x0, secEngineIDLen=12, 
    secName=0x5e010 "leinen", secNameLen=6, secLevel=2, scopedPdu=0xffbee74a "04\004\f", scopedPduLen=54, 
    secStateRef=0x0, wholeMsg=0xffbee77f "", wholeMsgLen=0xffbec76c) at snmpusm.c:1578
#6  0xff343130 in snmpv3_packet_rbuild (pdu=0x5e3c0, packet=0xffbee77f "", out_length=0xffbec76c, 
    pdu_data=0xffbee749 "", pdu_data_len=4290692486) at snmp_api.c:2042
#7  0xff340c88 in snmpv3_build (session=0x5dee0, pdu=0x5e3c0, packet=0xffbee77f "", out_length=0xffbec76c)
    at snmp_api.c:1727
#8  0xff343c78 in _snmp_build (session=0x5dee0, pdu=0x5e3c0, packet=0xffbee77f "", out_length=0xffbec76c)
    at snmp_api.c:2163
#9  0xff3459dc in snmp_build (pss=0x5dee0, pdu=0x5e3c0, packet=0xffbee77f "", out_length=0xffbec76c)
    at snmp_api.c:2425
#10 0xff34c108 in _sess_async_send (sessp=0x5e3f4, pdu=0x5e3c0, callback=0, cb_data=0x0) at snmp_api.c:3740
#11 0xff34c3d8 in snmp_sess_async_send (sessp=0x14b640, pdu=0x5e3c0, callback=0x5e3f4, cb_data=0x10)
    at snmp_api.c:3836
#12 0xff34bedc in snmp_async_send (session=0x5dee0, pdu=0x5e3c0, callback=0, cb_data=0x0) at snmp_api.c:3643
#13 0xff34be98 in snmp_send (session=0x5dee0, pdu=0x5e3c0) at snmp_api.c:3626
#14 0xff32ebc4 in snmp_synch_response_cb (ss=0x5dee0, pdu=0x5e3c0, response=0xffbeeac0, 
    pcb=0xff32e4f0 <snmp_synch_input>) at snmp_client.c:609
#15 0xff32ed38 in snmp_synch_response (ss=0x5dee0, pdu=0x5e3c0,
response=0xffbeeac0) at snmp_client.c:662
#16 0x11088 in main (argc=385984, argv=0x1) at snmpbulkwalk.c:158

Regards,
-- 
Simon.			http://www.switch.ch/misc/leinen/

For detailed info, follow this link:
http://sourceforge.net/bugs/?func=detailbug&bug_id=121756&group_id=12694