Bug 253393 - net-mgmt/net-snmp: After upgrading net-snmp-5.7.3_20.1 to net-snmp-5.9_1.1, some snmp responses are not decoded correctly and discarded.
Summary: net-mgmt/net-snmp: After upgrading net-snmp-5.7.3_20.1 to net-snmp-5.9_1.1, s...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Ryan Steinmetz
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-02-10 03:38 UTC by Alexander
Modified: 2021-02-13 18:55 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (zi)


Attachments
fix incorrect length comparison (498 bytes, patch)
2021-02-10 03:38 UTC, Alexander
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander 2021-02-10 03:38:49 UTC
Created attachment 222314 [details]
fix incorrect length comparison

An example snmp response that cannot be decoded and is silently discarded. 

02:19:20.771922 IP (tos 0x0, ttl 29, id 43952, offset 0, flags [none], proto UDP (17), length 63)
    10.22.16.2.161 > 10.7.22.69.54275: [udp sum ok]  { SNMPv2c { GetResponse(16) R=1248693045  tooBig[errorIndex==0] } }
        0x0000:  001c c05d ea0f 001d 719b c280 0800 4500
        0x0010:  003f abb0 0000 1d11 b79a 0a16 1002 0a07
        0x0020:  1645 00a1 d403 002b b2fe 3082 001f 0201
        0x0030:  0104 0670 7562 6c69 63a2 8200 1002 044a
        0x0040:  6d8b 3502 0101 0201 0030 8200 00

As a result, my program does not see the "tooBig" error, and does not repeat the request with a reduced "max_repetitions" value. 

Ultimately, the request ends up with an SNMPERR_TIMEOUT error.


A patch that fixes this: 

--- snmplib/asn1.c.orig 2020-08-15 04:41:47.000000000 +0700
+++ snmplib/asn1.c      2021-02-10 02:51:55.625498000 +0700
@@ -348,7 +348,7 @@
          * long length; first byte is length of length (after masking high bit)
          */
         len_len = (int) ((*pkt & ~0x80) + 1);
-        if ((int) pkt_len <= len_len )
+        if ((int) pkt_len < len_len )
             return NULL;           /* still too short for length and data */

         /* now we know we have enough data to parse length */
Comment 1 Alexander 2021-02-13 18:44:09 UTC
> Bart Van
> 
> Thanks for having reported this but I think this has already been fixed by commti 92f0fe9.
> 
> https://github.com/net-snmp/net-snmp/commit/92f0fe9e0dc3cf7ab6e8cc94d7962df83d0ddbec

:)) The problem was fixed long ago in the original project. Please add a fix for us too.
Comment 2 commit-hook freebsd_committer freebsd_triage 2021-02-13 18:55:15 UTC
A commit references this bug:

Author: zi
Date: Sat Feb 13 18:54:59 UTC 2021
New revision: 565173
URL: https://svnweb.freebsd.org/changeset/ports/565173

Log:
  - Bring in upstream commit to resolve badly formed responses (92f0fe9e0dc3cf7ab6e8cc94d7962df83d0ddbec)
  - Bump PORTREVISION

  PR:		253393

Changes:
  head/net-mgmt/net-snmp/Makefile
  head/net-mgmt/net-snmp/files/patch-92f0fe9e0dc3cf7ab6e8cc94d7962df83d0ddbec