#904 Core dump in net-snmp for long value of string index.
closed
nobody
None
5
2012-11-08
2008-04-17
Anonymous
No
There looks a bug in funtion netsnmp_old_api_helper() of old_api.c. If the oid returned by findVar function is more than the current name_length, we will dump core.
Note that the actual patch applied is slightly simpler,
as it uses the library function 'snmp_set_var_objid'
to update the new OID. But this does the same memory
re-allocation internally.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for the patch! It has been applied to the 5.2.x, 5.3.x and 5.4.x code branches and the main development tree, and will appear in future releases of the Net-SNMP package.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
patch for old_api.c
Logged In: NO
small update on the the previous patch:
diff -u -p -r1.3 old_api.c
--- old_api.c 9 Nov 2006 19:58:49 -0000 1.3
+++ old_api.c 17 Apr 2008 04:19:12 -0000
@@ -243,6 +243,7 @@ netsnmp_old_api_helper(netsnmp_mib_handl
u_char *access = NULL;
netsnmp_old_api_cache *cacheptr;
netsnmp_agent_session *oldasp = NULL;
+ oid tmp_name[1024];
@@ -277,11 +278,31 @@ netsnmp_old_api_helper(netsnmp_mib_handl
/*
* Actually call the old mib-module function
*/
- if (vp && vp->findVar)
- access = (*(vp->findVar)) (cvp, requests->requestvb->name,
+ if (vp && vp->findVar) {
+ memcpy(tmp_name, requests->requestvb->name,
+ requests->requestvb->name_length * sizeof(oid));
+ access = (*(vp->findVar)) (cvp, tmp_name,
&(requests->requestvb->
name_length), exact, &len,
&write_method);
+ /*
+ * if the oid returned by findVar function is more than
+ * the current name_length, we will dump core.
+ */
+ if ((requests->requestvb->name == requests->requestvb->name_loc)
+ && (requests->requestvb->name_length <= 32)) {
+ memcpy(requests->requestvb->name, tmp_name,
+ requests->requestvb->name_length * sizeof(oid));
+ } else {
+ int name_len = requests->requestvb->name_length;
+
+ if (requests->requestvb->name !=
+ requests->requestvb->name_loc) {
+ free(requests->requestvb->name);
+ }
+ requests->requestvb->name = malloc(name_len * sizeof(oid));
+ memcpy(requests->requestvb->name, tmp_name,
+ name_len * sizeof(oid));
+ }
+ }
else
access = NULL;
Logged In: YES
user_id=88893
Originator: NO
SVN revision 17117.
Note that the actual patch applied is slightly simpler,
as it uses the library function 'snmp_set_var_objid'
to update the new OID. But this does the same memory
re-allocation internally.
Logged In: YES
user_id=88893
Originator: NO
Thanks for the patch! It has been applied to the 5.2.x, 5.3.x and 5.4.x code branches and the main development tree, and will appear in future releases of the Net-SNMP package.