It seems the problem was introduced in net-snmp-5.0.10.2, which was
supposed to fix security issue for NETSNMP_TRANSPORT_FLAG_STREAM. It is
in snmplib/snmp_api.c.
See below, the original (net-snmp-5.0.10) is correct, free(rxbuf).
However, in net-snmp-5.0.10.2, it was changed to free(isp->packet),
which makes snmpd grow huge when invalid packets comes. It will
eventually freeze the machine. - security????
Here is the diff between net-snmp-5.0.10 and net-snmp-5.0.10.2.
--- net-snmp-5.0.10/snmplib/snmp_api.c 2005-05-23 13:30:02.000000000
-0700
+++ net-snmp-5.0.10.2/snmplib/snmp_api.c 2005-06-30
08:40:42.000000000 -0700
@@ -5299,7 +5299,7 @@
sp->s_snmp_errno = SNMPERR_BAD_RECVFROM;
sp->s_errno = errno;
snmp_set_detail(strerror(errno));
- free(rxbuf);
+ free(isp->packet);
if (opaque != NULL) {
free(opaque);
}
@@ -5324,8 +5324,7 @@
*/
DEBUGMSGTL(("sess_read", "fd %d closed\n", transport->sock));
transport->f_close(transport);
- free(rxbuf);
- isp->packet = NULL;
+ SNMP_FREE(isp->packet);
if (opaque != NULL) {
free(opaque);
}
@@ -5352,13 +5351,13 @@
DEBUGMSGTL(("sess_read", " loop packet_len %d, PDU length
%d\n",
isp->packet_len, pdulen));
-
- if (pdulen > MAX_PACKET_LENGTH) {
+
+ if ((pdulen > MAX_PACKET_LENGTH) || (pdulen < 0)) {
/*
* Illegal length, drop the connection.
*/
snmp_log(LOG_ERR,
- "Maximum packet size exceeded in a
request.\n");
+ "Received broken packet. Closing session.\n");
if (sp->callback != NULL) {
DEBUGMSGTL(("sess_read",
"perform callback with op=DISCONNECT\n"));
@@ -5373,7 +5372,7 @@
return -1;
}
- if (pdulen > isp->packet_len) {
+ if (pdulen > isp->packet_len || pdulen == 0) {
/*
* We don't have a complete packet yet. Return, and
wait for
* more data to arrive.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fong
Tsui
Sent: Wednesday, November 09, 2005 12:28 PM
To: net-snmp-coders@lists.sourceforge.net
Subject: snmpd memory grows on invalid udp requests
Hi,
It looks like snmpd buffers invalid udp requests on it's port instead of
properly throwing them away. Using udpsic to throw about 5 minutes of
garbage traffic at port, snmpd's memory image grows from a slim 5k to a
fat 380Megabytes.
typical snmpd at startup:
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU
COMMAND
31175 root 15 0 5212 5212 1684 S 0.0 0.4 0:00 0 snmpd
snmpd after a few minutes with udpsic (note cpu usage -- udpsic is no
longer
running at this point).
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU
COMMAND
7542 root 25 0 380M 169M 488 R 95.8 45.4 13:00 0 snmpd
The command to set invalid requests is used
udpsic -s rand -d 172.16.240.34,161 -F27
Is this a known bug? Do we have a fix? We are running 5.0.9 on linux.
Thanks,
FT
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server.
Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Net-snmp-coders mailing list
Net-snmp-coders@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
