Bug 283909

Summary:

bsnmpget/walk: coredump when SNMPPASSWD is empty

Product:

Base System

Reporter:

Tassilo Philipp <tphilipp>

Component:

bin

Assignee:

Ed Maste <emaste>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

dim, emaste, glebius, markj, thj, ziaee

Priority:

---

Version:

13.3-RELEASE

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
suggested patch	none

Description Tassilo Philipp 2025-01-07 19:54:57 UTC

To repro, with a running bsnmpd listening on default port, not the empty password env var:

$ env SNMPUSER=bsnmp SNMPPRIV=aes SNMPAUTH=sha SNMPPASSWD= bsnmpget 1
Floating point exception (core dumped)
$ ls bsnmpget.core
bsnmpget.core


Same for bsnmpwalk

Comment 1 Alexander Ziaee freebsd_committer

2025-01-09 04:40:52 UTC

^triage: I am not getting this core dump using the command you provided on 15-CURRENT.

Comment 2 Gleb Smirnoff freebsd_committer

2025-01-09 04:56:55 UTC

I reproduced it:

    at /usr/src/FreeBSD/contrib/bsnmp/lib/snmpcrypto.c:274
274                             authbuf[i] = passwd[(loop + i) % pwdlen];

pwdlen is 0 here.

Comment 3 Gleb Smirnoff freebsd_committer

2025-01-09 05:07:21 UTC

Created attachment 256565 [details]
suggested patch

Comment 4 Mark Johnston freebsd_committer

2025-01-10 20:30:19 UTC

(In reply to Gleb Smirnoff from comment #3)
Looks reasonable to me.  The code which allocates the buffer also looks wrong:

 174         if ((str = getenv("SNMPPASSWD")) != NULL) {                                                                                                                                                                                                                                                                      
 175                 if ((slen = strlen(str)) > MAXSTR)                                                                                                                                                                                                                                                                       
 176                         slen = MAXSTR - 1;                                                                                                                                                                                                                                                                               
 177                 if ((snmptoolctx->passwd = malloc(slen + 1)) == NULL) {                                                                                                                                                                                                                                                  
 178                         warn("malloc() failed");                                                                                                                                                                                                                                                                         
 179                         return (-1);                                                                                                                                                                                                                                                                                     
 180                 }                                                                                                                                                                                                                                                                                                        
 181                 if (slen > 0)                                                                                                                                                                                                                                                                                            
 182                         strlcpy(snmptoolctx->passwd, str, slen + 1);                                                                                                                                                                                                                                                     
 183         }               

Aren't we leaving passwd[0] uninitialized if slen == 0?

Comment 5 Gleb Smirnoff freebsd_committer

2025-01-11 04:46:08 UTC

On Fri Jan 10 20:30:19  2025 UTC, markj@FreeBSD.org wrote:
> Aren't we leaving passwd[0] uninitialized if slen == 0?

Agreed. We should strlcpy() unconditionally.

Comment 6 commit-hook freebsd_committer

2025-01-11 05:34:27 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=3999a860d6e899de98b1025317d2d0ef1f83255f

commit 3999a860d6e899de98b1025317d2d0ef1f83255f
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2025-01-11 05:08:02 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2025-01-11 05:08:02 +0000

    libbsnmptools: avoid uninitialized snmptoolctx->passwd with empty password

    The removed check left snmptoolctx->passwd pointer to uninitialized
    memory.  Always calling strlcpy(3) would guarantee that with empty
    password it will point to empty string.

    Submitted by:   markj
    PR:             283909

 usr.sbin/bsnmpd/tools/libbsnmptools/bsnmptools.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comment 7 commit-hook freebsd_committer

2025-01-11 05:34:29 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=4dc1820a16b9b6108e0ff8a0265c08c67fa34146

commit 4dc1820a16b9b6108e0ff8a0265c08c67fa34146
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2025-01-11 05:08:02 +0000
Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
CommitDate: 2025-01-11 05:08:02 +0000

    libbsnmp: avoid division by zero with empty password

    PR:             283909

 contrib/bsnmp/lib/snmpclient.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 8 Gleb Smirnoff freebsd_committer

2025-01-11 20:33:26 UTC

On Sat Jan 11 05:34:29  2025 UTC, commit-hook@FreeBSD.org wrote:
> A commit in branch main references this bug:
> 
> URL:
> https://cgit.FreeBSD.org/src/commit/?id=4dc1820a16b9b6108e0ff8a0265c08c67fa34146
> 
> commit 4dc1820a16b9b6108e0ff8a0265c08c67fa34146
> Author:     Gleb Smirnoff <glebius@FreeBSD.org>
> AuthorDate: 2025-01-11 05:08:02 +0000
> Commit:     Gleb Smirnoff <glebius@FreeBSD.org>
> CommitDate: 2025-01-11 05:08:02 +0000
> 
>     libbsnmp: avoid division by zero with empty password
> 
>     PR:             283909
> 
>  contrib/bsnmp/lib/snmpclient.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Comment 9 Ed Maste freebsd_committer

2025-01-13 20:34:56 UTC

Grab as I told Gleb I'll take care of MFC

Comment 10 commit-hook freebsd_committer

2025-01-20 14:27:27 UTC

A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=0bfbd30663b68a851ebf24667d121c6891c86827

commit 0bfbd30663b68a851ebf24667d121c6891c86827
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2025-01-11 05:08:02 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-01-20 14:25:14 +0000

    libbsnmptools: avoid uninitialized snmptoolctx->passwd with empty password

    The removed check left snmptoolctx->passwd pointer to uninitialized
    memory.  Always calling strlcpy(3) would guarantee that with empty
    password it will point to empty string.

    Submitted by:   markj
    PR:             283909

    (cherry picked from commit 3999a860d6e899de98b1025317d2d0ef1f83255f)

 usr.sbin/bsnmpd/tools/libbsnmptools/bsnmptools.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comment 11 commit-hook freebsd_committer

2025-01-20 14:27:28 UTC

A commit in branch stable/14 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=c4cae8cbc337eaf824774fcba88018e42fa31efa

commit c4cae8cbc337eaf824774fcba88018e42fa31efa
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2025-01-11 05:08:02 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-01-20 14:25:14 +0000

    libbsnmp: avoid division by zero with empty password

    PR:             283909
    (cherry picked from commit 4dc1820a16b9b6108e0ff8a0265c08c67fa34146)

 contrib/bsnmp/lib/snmpclient.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 12 commit-hook freebsd_committer

2025-01-20 14:29:30 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=8ed2e663712c3749b10af7968a646b9e81b6bcea

commit 8ed2e663712c3749b10af7968a646b9e81b6bcea
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2025-01-11 05:08:02 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-01-20 14:28:54 +0000

    libbsnmp: avoid division by zero with empty password

    PR:             283909
    (cherry picked from commit 4dc1820a16b9b6108e0ff8a0265c08c67fa34146)
    (cherry picked from commit c4cae8cbc337eaf824774fcba88018e42fa31efa)

 contrib/bsnmp/lib/snmpclient.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 13 commit-hook freebsd_committer

2025-01-20 14:29:31 UTC

A commit in branch stable/13 references this bug:

URL: https://cgit.FreeBSD.org/src/commit/?id=d6fbd34acbbc90ae106fc1fa08d83d5f25d59039

commit d6fbd34acbbc90ae106fc1fa08d83d5f25d59039
Author:     Gleb Smirnoff <glebius@FreeBSD.org>
AuthorDate: 2025-01-11 05:08:02 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2025-01-20 14:28:54 +0000

    libbsnmptools: avoid uninitialized snmptoolctx->passwd with empty password

    The removed check left snmptoolctx->passwd pointer to uninitialized
    memory.  Always calling strlcpy(3) would guarantee that with empty
    password it will point to empty string.

    Submitted by:   markj
    PR:             283909

    (cherry picked from commit 3999a860d6e899de98b1025317d2d0ef1f83255f)
    (cherry picked from commit 0bfbd30663b68a851ebf24667d121c6891c86827)

 usr.sbin/bsnmpd/tools/libbsnmptools/bsnmptools.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)