Bug 255214

Summary: bsnmpd crashes regularily
Product: Base System Reporter: Eugene M. Zheganin <eugene>
Component: binAssignee: Shteryana Shopova <syrinx>
Status: New ---    
Severity: Affects Only Me CC: mg, syrinx
Priority: ---    
Version: 12.2-RELEASE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Proposed fix none

Description Eugene M. Zheganin 2021-04-19 08:59:30 UTC
bsnmpd crashes regularily (every 3-5 days).

Env:
FreeBSD gw1.tpark-it 12.2-RELEASE-p4 FreeBSD 12.2-RELEASE-p4 GENERIC  amd64

Also the bsnmp-ucd-0.4.5 in installed, but accoring to the backtrace, the crash source is inside the main app.

Backtrace:
===Cut===
[root@gw1:/]# lldb --core /bsnmpd.core /usr/sbin/bsnmpd
(lldb) target create "/usr/sbin/bsnmpd" --core "/bsnmpd.core"
Core file '/bsnmpd.core' (x86_64) was loaded.
(lldb) bt
* thread #1, name = 'bsnmpd', stop reason = signal SIGSEGV
  * frame #0: 0x0000000000213a12 bsnmpd`snmp_input_start(buf=<unavailable>, len=<unavailable>, source="", pdu=0x00007ffffffe2900, ip=0x00007ffffffe28c4, pdulen=<unavailable>) at main.c:644:40
    frame #1: 0x000000000021498e bsnmpd`snmpd_input(pi=0x0000000801045000, tport=0x0000000801008c80) at main.c:1071:9
    frame #2: 0x000000080026fa3e libbegemot.so.4`poll_dispatch(wait=<unavailable>) at rpoll.c:603:6
    frame #3: 0x000000000021593a bsnmpd`main(argc=0, argv=<unavailable>) at main.c:1747:3
    frame #4: 0x00000000002130b0 bsnmpd`_start(ap=<unavailable>, cleanup=<unavailable>) at crt1.c:76:7
(lldb) frame select 0
frame #0: 0x0000000000213a12 bsnmpd`snmp_input_start(buf=<unavailable>, len=<unavailable>, source="", pdu=0x00007ffffffe2900, ip=0x00007ffffffe28c4, pdulen=<unavailable>) at main.c:644:40
   641                          pdu->engine.engine_boots = snmpd_engine.engine_boots;
   642                          pdu->engine.engine_time = snmpd_engine.engine_time;
   643                  }
-> 644          } else if (usm_user->suser.auth_proto != SNMP_AUTH_NOAUTH &&
   645               (pdu->engine.engine_boots == 0 || pdu->engine.engine_time == 0)) {
   646                  snmpd_usmstats.not_in_time_windows++;
   647                  ret = SNMPD_INPUT_FAILED;
(lldb)
===Cut===
Comment 1 Marcin Gryszkalis 2021-05-17 22:17:43 UTC
same here, I don't have symbols but stack seems to be the same:

* thread #1, name = 'bsnmpd', stop reason = signal SIGSEGV
  * frame #0: 0x0000000000213a12 bsnmpd`snmp_input_start + 850
    frame #1: 0x000000000021498e bsnmpd`snmpd_input + 286
    frame #2: 0x000000080026fa3e libbegemot.so.4`poll_dispatch + 1230
    frame #3: 0x000000000021593a bsnmpd`main + 2138
    frame #4: 0x00000000002130b0 bsnmpd`_start + 256
Comment 2 Shteryana Shopova freebsd_committer 2021-09-09 14:12:00 UTC
Created attachment 227785 [details]
Proposed fix

Proposed fix against releng/12.2
Comment 3 Shteryana Shopova freebsd_committer 2021-09-09 14:16:08 UTC
I have been able to reproduce the crash with the same backtrace on 12.2-RELEASE-p7 ; the proposed patch fixes the crash for me and it would be good if the original reporter confirms that when running bsnmpd with the patch the crash is resolved

The same fix should apply to FreeBSD-CURRENT too
Comment 4 commit-hook freebsd_committer 2021-10-01 11:15:42 UTC
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=8b959dd6a3921c35395bef4a6d7ad2426a3bd88e

commit 8b959dd6a3921c35395bef4a6d7ad2426a3bd88e
Author:     Shteryana Shopova <syrinx@FreeBSD.org>
AuthorDate: 2021-10-01 11:10:39 +0000
Commit:     Shteryana Shopova <syrinx@FreeBSD.org>
CommitDate: 2021-10-01 11:10:39 +0000

    Fix bsnmpd(1) crash with ill-formed Discovery message

    RFC 3414 Section 4. Discovery specifies that a discovery request message has a
    varBindList left empty. Nonetheless, bsnmpd(1) should not crash when receiving
    a non-zero var-bindings list in a Discovery Request message.

    PR:             255214
    MFC after:      2 weeks

 contrib/bsnmp/snmpd/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)