To repro, with a running bsnmpd listening on default port, not the empty password env var: $ env SNMPUSER=bsnmp SNMPPRIV=aes SNMPAUTH=sha SNMPPASSWD= bsnmpget 1 Floating point exception (core dumped) $ ls bsnmpget.core bsnmpget.core Same for bsnmpwalk
^triage: I am not getting this core dump using the command you provided on 15-CURRENT.
I reproduced it: at /usr/src/FreeBSD/contrib/bsnmp/lib/snmpcrypto.c:274 274 authbuf[i] = passwd[(loop + i) % pwdlen]; pwdlen is 0 here.
Created attachment 256565 [details] suggested patch
(In reply to Gleb Smirnoff from comment #3) Looks reasonable to me. The code which allocates the buffer also looks wrong: 174 if ((str = getenv("SNMPPASSWD")) != NULL) { 175 if ((slen = strlen(str)) > MAXSTR) 176 slen = MAXSTR - 1; 177 if ((snmptoolctx->passwd = malloc(slen + 1)) == NULL) { 178 warn("malloc() failed"); 179 return (-1); 180 } 181 if (slen > 0) 182 strlcpy(snmptoolctx->passwd, str, slen + 1); 183 } Aren't we leaving passwd[0] uninitialized if slen == 0?
On Fri Jan 10 20:30:19 2025 UTC, markj@FreeBSD.org wrote: > Aren't we leaving passwd[0] uninitialized if slen == 0? Agreed. We should strlcpy() unconditionally.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3999a860d6e899de98b1025317d2d0ef1f83255f commit 3999a860d6e899de98b1025317d2d0ef1f83255f Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2025-01-11 05:08:02 +0000 Commit: Gleb Smirnoff <glebius@FreeBSD.org> CommitDate: 2025-01-11 05:08:02 +0000 libbsnmptools: avoid uninitialized snmptoolctx->passwd with empty password The removed check left snmptoolctx->passwd pointer to uninitialized memory. Always calling strlcpy(3) would guarantee that with empty password it will point to empty string. Submitted by: markj PR: 283909 usr.sbin/bsnmpd/tools/libbsnmptools/bsnmptools.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=4dc1820a16b9b6108e0ff8a0265c08c67fa34146 commit 4dc1820a16b9b6108e0ff8a0265c08c67fa34146 Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2025-01-11 05:08:02 +0000 Commit: Gleb Smirnoff <glebius@FreeBSD.org> CommitDate: 2025-01-11 05:08:02 +0000 libbsnmp: avoid division by zero with empty password PR: 283909 contrib/bsnmp/lib/snmpclient.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
On Sat Jan 11 05:34:29 2025 UTC, commit-hook@FreeBSD.org wrote: > A commit in branch main references this bug: > > URL: > https://cgit.FreeBSD.org/src/commit/?id=4dc1820a16b9b6108e0ff8a0265c08c67fa34146 > > commit 4dc1820a16b9b6108e0ff8a0265c08c67fa34146 > Author: Gleb Smirnoff <glebius@FreeBSD.org> > AuthorDate: 2025-01-11 05:08:02 +0000 > Commit: Gleb Smirnoff <glebius@FreeBSD.org> > CommitDate: 2025-01-11 05:08:02 +0000 > > libbsnmp: avoid division by zero with empty password > > PR: 283909 > > contrib/bsnmp/lib/snmpclient.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-)
Grab as I told Gleb I'll take care of MFC
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=0bfbd30663b68a851ebf24667d121c6891c86827 commit 0bfbd30663b68a851ebf24667d121c6891c86827 Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2025-01-11 05:08:02 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2025-01-20 14:25:14 +0000 libbsnmptools: avoid uninitialized snmptoolctx->passwd with empty password The removed check left snmptoolctx->passwd pointer to uninitialized memory. Always calling strlcpy(3) would guarantee that with empty password it will point to empty string. Submitted by: markj PR: 283909 (cherry picked from commit 3999a860d6e899de98b1025317d2d0ef1f83255f) usr.sbin/bsnmpd/tools/libbsnmptools/bsnmptools.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=c4cae8cbc337eaf824774fcba88018e42fa31efa commit c4cae8cbc337eaf824774fcba88018e42fa31efa Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2025-01-11 05:08:02 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2025-01-20 14:25:14 +0000 libbsnmp: avoid division by zero with empty password PR: 283909 (cherry picked from commit 4dc1820a16b9b6108e0ff8a0265c08c67fa34146) contrib/bsnmp/lib/snmpclient.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=8ed2e663712c3749b10af7968a646b9e81b6bcea commit 8ed2e663712c3749b10af7968a646b9e81b6bcea Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2025-01-11 05:08:02 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2025-01-20 14:28:54 +0000 libbsnmp: avoid division by zero with empty password PR: 283909 (cherry picked from commit 4dc1820a16b9b6108e0ff8a0265c08c67fa34146) (cherry picked from commit c4cae8cbc337eaf824774fcba88018e42fa31efa) contrib/bsnmp/lib/snmpclient.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=d6fbd34acbbc90ae106fc1fa08d83d5f25d59039 commit d6fbd34acbbc90ae106fc1fa08d83d5f25d59039 Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2025-01-11 05:08:02 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2025-01-20 14:28:54 +0000 libbsnmptools: avoid uninitialized snmptoolctx->passwd with empty password The removed check left snmptoolctx->passwd pointer to uninitialized memory. Always calling strlcpy(3) would guarantee that with empty password it will point to empty string. Submitted by: markj PR: 283909 (cherry picked from commit 3999a860d6e899de98b1025317d2d0ef1f83255f) (cherry picked from commit 0bfbd30663b68a851ebf24667d121c6891c86827) usr.sbin/bsnmpd/tools/libbsnmptools/bsnmptools.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)