system/6468: snmpd segfault when receiving a GET request on an hrStorage table

Thu, 16 Sep 2010 09:06:33 -0700 

>Number:         6468
>Category:       system
>Synopsis:       snmpd segfault when receiving a GET request on a hrStorage* 
>table
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Thu Sep 16 16:00:01 GMT 2010
>Closed-Date:
>Last-Modified:
>Originator:     
>Release:        
>Organization:
>Environment:
        System      : OpenBSD 4.7
        Details     : OpenBSD 4.7 (GENERIC) #558: Wed Mar 17 20:46:15 MDT 2010
                         
[email protected]:/usr/src/sys/arch/i386/compile/GENERIC

        Architecture: OpenBSD.i386
        Machine     : i386
>Description:
        snmpd project, mib.c source file, mib_hrstorage function.

        On line 432, idx value can be set to 0 when issuing a GET
        request on a table

                idx = o->bo_id[OIDIDX_hrStorageEntry];

        a few tests then find out which type of device will be handled
        (as described in related comment). If idx == 0, value is left
        unaltered and then matches the default entry in the following
        switch/case statement.

                switch(idx) {
                [...]
                default:
                        mnt = &mntbuf[idx - 31];
                        descr = mnt->f_mntonname;
                        units = mnt->f_bsize;

        The statfs pointer mnt is then assigned with an incorrect address.
        The segfault happens when mnt->f_bsize is accessed.
>How-To-Repeat:
        - write a valid /etc/snmpd.conf file
        - start snmpd
        - issue the following command with a valid community string
                snmpget -v1 -c<comm> <ip_address> 1.3.6.1.2.1.25.2.3.1.6
>Fix:
        The following patch should do the trick

        --- mib.c       Thu Sep 16 16:58:06 2010
        +++ mib.c.orig  Thu Sep 16 16:47:13 2010
        @@ -430,7 +430,7 @@ mib_hrstorage(struct oid *oid, struct ber_oid *o,
        stru
                 * higher for disk storage.
                 */
                idx = o->bo_id[OIDIDX_hrStorageEntry];
        -       if (idx > (u_int)maxsize || idx == 0)
        +       if (idx > (u_int)maxsize)
                        return (1);
                else if (idx > 2 && idx < 10)
                        idx = 10;

--
Rimi Laurent

  Phone: +352 26 10 30 61
  General Support: [email protected]
  GPG FP: 27F4 6810 2B0E 1AA0 CDAE  7C7B 3DC9 085A 0FA0 0601

[demime 1.01d removed an attachment of type application/pgp-signature which had 
a name of signature.asc]


>Release-Note:
>Audit-Trail:
>Unformatted:

Reply via email to