Bug 258570 - bsnmpwalk can crash due to bug in snmp_parse_resp()
Summary: bsnmpwalk can crash due to bug in snmp_parse_resp()
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 13.0-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-09-18 10:58 UTC by Robert Morris
Modified: 2021-10-04 20:13 UTC (History)
2 users (show)

See Also:


Attachments
Fake snmp server to demonstrate bsnmpwalk crash. (1.50 KB, text/plain)
2021-09-18 10:58 UTC, Robert Morris
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Morris 2021-09-18 10:58:00 UTC
Created attachment 227978 [details]
Fake snmp server to demonstrate bsnmpwalk crash.

snmp_parse_resp() in libbsnmptools contains:

    if (resp->error_status == SNMP_ERR_NOSUCHNAME) {
        warnx("Error - No Such Name");
        return (0);
    }

It should be return(-1). If the name is bad, the return 0
will cause bsnmpwalk to continue with an unchecked reply,
so (for example) if resp.nbindings is zero or huge, this
line will generate a wild pointer:

           snmpwalk_nextpdu_create(op,
                &(resp.bindings[resp.nbindings - 1].var), &req);

The attached fake snmp server demonstrates the problem:
% cc bsnmpwalk1.c
% ./a.out &
waiting on port 1610 for a request
% bsnmpwalk -s localhost:1610
SNMP: ignoring trailing junk in message
bsnmpwalk: Error - No Such Name
Bus error (core dumped)