Re: [net-snmp 5.x] Security breach

[Roman Tsiroulnikov]

Hello, Wes! Thank you for fast reply! Yes, at this time, it's reproducible only via TCP, but, in principle, there was no matter, what transport we are using. The 'Z' symbol it's only one example. Protocol parser code (snmplib/snmp_api.c), have infinite loop by default, processes multiple PDU's from stream socket. If perser receives broken PDU it's return pdu_length as zero, and while cycle goes to infinite loop. See snmplib/snmp_api.c func _sess_read(void *sessp, fd_set * fdset), lines around 5379, 5385 and 5465. In patch, I was sent to you in previous letter, I've inserted additional check pdu_length to be non-zero (at line 5395), and agent has become stable on my installations. -- Wishing you nice day, ___________________________ Roman Tsiroulnikov Monitoring & infrastructure projects [EMAIL PROTECTED] http://www.devexperts.com Tel. +7(812) 336-57-88   Wes Hardaker wrote: On Wed, 29 Jun 2005 12:36:49 +0400, Roman Tsiroulnikov <[EMAIL PROTECTED]> said: Roman> We're found a critical bug in net-snmp library, in requests PDU Roman> parser. In particular situations, if snmp daemon receives Roman> incorrect or broken request PDU, it's infinitedly loops within Roman> PDU parser code, taking 100% load on one CPU, and stops to Roman> serve further requests. There should be code to prevent that from happening already in place. Roman> To reproduce this bug: send 1-byte request with 'Z' symbol. You Roman> can use something like netcat or this is 100% reproducible by Roman> running Nessus scanner. Ok, I've reproduced it for 5.1.2. I'm checking other versions, but f Roman> TCP & UDP code both affected. Only TCP is affected as far as I can tell so far. UDP doesn't have this issue from any thing I've tested. In fact, if you look at the code in question it only affects stream sockets. I've tested things just to be sure, however, and there are no issues. At least with the letter 'Z'.