Bug 215721 - bsnmpwalk .1 spews out an uninitialized stream for an OID
Summary: bsnmpwalk .1 spews out an uninitialized stream for an OID
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Some People
Assignee: freebsd-bugs mailing list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-03 05:39 UTC by Enji Cooper
Modified: 2017-11-05 20:47 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Enji Cooper freebsd_committer 2017-01-03 05:39:45 UTC
.1 is a common alias for the `iso` OID root. Unfortunately bsnmpwalk doesn't like that -- in particular it claims the OID is too short and spews out a stream of uninitialized memory. Example:

% bsnmpwalk .1 2>&1 | less
ASN.1: short oid at a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 ...
ASN.1: short oid at a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5
...
bsnmpwalk: Snmp dialog: Invalid argument
%

valgrind claimed it was something to do with uninitialized heap space being passed to asn_put_objid(..) from snmp_dialog(..):

ASN.1: short oid at==79003== Use of uninitialised value of size 8
==79003==    at 0x5343CA5: ??? (in /lib/libc.so.7)
==79003==    by 0x5341BB1: ??? (in /lib/libc.so.7)
==79003==    by 0x5341A12: vfprintf_l (in /lib/libc.so.7)
==79003==    by 0x5349F12: fprintf (in /lib/libc.so.7)
==79003==    by 0x4E38D55: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E39D98: asn_put_objid (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E3800E: snmp_binding_encode (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E38198: snmp_pdu_encode (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E32593: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E300E0: snmp_dialog (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x402AAB: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4020DE: ??? (in /usr/bin/bsnmpwalk)
==79003==  Uninitialised value was created by a heap allocation
==79003==    at 0x4C246B0: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==79003==    by 0x4E32548: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E300E0: snmp_dialog (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x402AAB: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4020DE: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4022FFF: ???
==79003==
==79003== Conditional jump or move depends on uninitialised value(s)
==79003==    at 0x5343CB4: ??? (in /lib/libc.so.7)
==79003==    by 0x5341BB1: ??? (in /lib/libc.so.7)
==79003==    by 0x5341A12: vfprintf_l (in /lib/libc.so.7)
==79003==    by 0x5349F12: fprintf (in /lib/libc.so.7)
==79003==    by 0x4E38D55: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E39D98: asn_put_objid (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E3800E: snmp_binding_encode (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E38198: snmp_pdu_encode (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E32593: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E300E0: snmp_dialog (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x402AAB: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4020DE: ??? (in /usr/bin/bsnmpwalk)
==79003==  Uninitialised value was created by a heap allocation
==79003==    at 0x4C246B0: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==79003==    by 0x4E32548: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E300E0: snmp_dialog (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x402AAB: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4020DE: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4022FFF: ???
==79003==

==79003== 19928 errors in context 1 of 2:
==79003== Conditional jump or move depends on uninitialised value(s)
==79003==    at 0x5343CB4: ??? (in /lib/libc.so.7)
==79003==    by 0x5341BB1: ??? (in /lib/libc.so.7)
==79003==    by 0x5341A12: vfprintf_l (in /lib/libc.so.7)
==79003==    by 0x5349F12: fprintf (in /lib/libc.so.7)
==79003==    by 0x4E38D55: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E39D98: asn_put_objid (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E3800E: snmp_binding_encode (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E38198: snmp_pdu_encode (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E32593: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E300E0: snmp_dialog (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x402AAB: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4020DE: ??? (in /usr/bin/bsnmpwalk)
==79003==  Uninitialised value was created by a heap allocation
==79003==    at 0x4C246B0: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==79003==    by 0x4E32548: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E300E0: snmp_dialog (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x402AAB: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4020DE: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4022FFF: ???
==79003== 
==79003== 
==79003== 19928 errors in context 2 of 2:
==79003== Use of uninitialised value of size 8
==79003==    at 0x5343CA5: ??? (in /lib/libc.so.7)
==79003==    by 0x5341BB1: ??? (in /lib/libc.so.7)
==79003==    by 0x5341A12: vfprintf_l (in /lib/libc.so.7)
==79003==    by 0x5349F12: fprintf (in /lib/libc.so.7)
==79003==    by 0x4E38D55: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E39D98: asn_put_objid (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E3800E: snmp_binding_encode (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E38198: snmp_pdu_encode (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E32593: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E300E0: snmp_dialog (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x402AAB: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4020DE: ??? (in /usr/bin/bsnmpwalk)
==79003==  Uninitialised value was created by a heap allocation
==79003==    at 0x4C246B0: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==79003==    by 0x4E32548: ??? (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x4E300E0: snmp_dialog (in /usr/lib/libbsnmp.so.6)
==79003==    by 0x402AAB: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4020DE: ??? (in /usr/bin/bsnmpwalk)
==79003==    by 0x4022FFF: ???

I believe the value passed in via bsnmpwalk is tainted.. asn_put_objid is dumping out information for an OID deemed to be len == 1.
Comment 1 Enji Cooper freebsd_committer 2017-01-03 06:30:16 UTC
This changes the a5 a5 a5 to 00 00 00:

$ svn diff -x -p contrib/bsnmp/lib/snmpclient.c                                                                                                                                   
Index: contrib/bsnmp/lib/snmpclient.c
===================================================================
--- contrib/bsnmp/lib/snmpclient.c      (revision 311139)
+++ contrib/bsnmp/lib/snmpclient.c      (working copy)
@@ -1231,7 +1231,7 @@ snmp_send_packet(struct snmp_pdu * pdu)
        struct asn_buf b;
        ssize_t ret;

-       if ((buf = malloc(snmp_client.txbuflen)) == NULL) {
+       if ((buf = calloc(1, snmp_client.txbuflen)) == NULL) {
                seterr(&snmp_client, "%s", strerror(errno));
                return (-1);
        }

So... I think I'm getting closer to determining why this is happening and fixing this.
Comment 2 commit-hook freebsd_committer 2017-01-04 07:53:40 UTC
A commit references this bug:

Author: ngie
Date: Wed Jan  4 07:53:01 UTC 2017
New revision: 311263
URL: https://svnweb.freebsd.org/changeset/base/311263

Log:
  Use calloc instead of malloc with buffers in snmp_{recv,send}_packet

  This doesn't fix the issue noted in the PR, but at the very least it
  cleans up the error so it looks a bit more sane, and in the event
  that bsnmp did wander off into the weeds, the likelihood of it
  crashing with more sensible output is greater, in my opinion

  MFC counter set high so I have enough time to resolve the real
  underlying bug in bsnmpwalk

  MFC after:	1 month
  PR:		215721

Changes:
  head/contrib/bsnmp/lib/snmpclient.c
Comment 3 commit-hook freebsd_committer 2017-02-04 15:46:36 UTC
A commit references this bug:

Author: ngie
Date: Sat Feb  4 15:45:39 UTC 2017
New revision: 313200
URL: https://svnweb.freebsd.org/changeset/base/313200

Log:
  MFC r311263:

  Use calloc instead of malloc with buffers in snmp_{recv,send}_packet

  This doesn't fix the issue noted in the PR, but at the very least it
  cleans up the error so it looks a bit more sane, and in the event
  that bsnmp did wander off into the weeds, the likelihood of it
  crashing with more sensible output is greater, in my opinion

  MFC counter set high so I have enough time to resolve the real
  underlying bug in bsnmpwalk

  PR:		215721

Changes:
_U  stable/11/
  stable/11/contrib/bsnmp/lib/snmpclient.c
Comment 4 commit-hook freebsd_committer 2017-02-04 15:46:37 UTC
A commit references this bug:

Author: ngie
Date: Sat Feb  4 15:45:51 UTC 2017
New revision: 313201
URL: https://svnweb.freebsd.org/changeset/base/313201

Log:
  MFC r311263:

  Use calloc instead of malloc with buffers in snmp_{recv,send}_packet

  This doesn't fix the issue noted in the PR, but at the very least it
  cleans up the error so it looks a bit more sane, and in the event
  that bsnmp did wander off into the weeds, the likelihood of it
  crashing with more sensible output is greater, in my opinion

  MFC counter set high so I have enough time to resolve the real
  underlying bug in bsnmpwalk

  PR:		215721

Changes:
_U  stable/10/
  stable/10/contrib/bsnmp/lib/snmpclient.c
Comment 5 Hartmut Brandt freebsd_committer 2017-02-06 09:18:37 UTC
In asn1.c, 641 (asn_put_objid) an OID with a length of 1 is reported as an error using asn_error(). If that returns the oid is interpreted as 1.0. I suppose that asn_error() (which is called via a function pointer) may be doing wrong.

For what exactly should be .1 an alias? An OID needs to have at least 2 identifiers. If the first one is .1 then the second one must be something from 0 to 39.
Comment 6 Enji Cooper freebsd_committer 2017-11-05 20:40:23 UTC
Untaking bsnmp bugs (haven't worked for Isilon for months and have no burning desire to use bsnmp anymore).