Off by one bug in util_funcs.c:check_and_reload_table() call to qsort()

Thu, 12 Jul 2007 13:12:27 -0700 

We've had this intermittent bug in our of our custom MIB implementations 
that has been driving us nuts for some time.  We just recently managed 
to get valgrind on the embedded device and we discovered a problem in 
the net-snmp library.

The MIB in question was written some time ago and it makes use of the 
mib_table_t interfaces in util_funcs.[ch].  And yes, I realize that 
absolutely nothing in net-snmp currently uses that interface. 
Unfortunately we don't currently have the resources to rewrite the MIB 
using one of the current handlers, so we've been trying to nail down the 
problem in the existing code.

Effectively, there is an array of N elements of size x (specified on 
creation).  Element 0 is never used.  The structure has a current and 
next index; next points to the next free element in the array.  The 
default size of the table is 10.  When there are 9 entries in the table, 
next is 10, i.e., off the end of the allocated memory.  qsort() is then 
invoked as

   qsort(TABLE_START(table),
         table->next_index,
         table->data_size,
         table->compare);

which is effectively

   qsort(&array[1], 10, sizeof(array[0]), comparefn)

and the &array[10] is past the end of allocated memory.  The consequence 
(as reported by valgrind) is that the compare function ends up accessing 
memory beyond the end of the array, and qsort() may well overwrite said 
memory.  This accounts for our seeing snmpd falling over, and snmpd 
reporting bogus data some times.

The fix is to change table->next_index to table->next_index-1.  We've 
tried this fix locally and it definitely solved our problems.  I've 
submitted patch 1752934 with this fix.  I realize that it has no impact 
on the existing net-snmp MIB implementations, but hopefully if anyone 
else out there has been hitting mysterious failures who make use of this 
interface will now have a solution.

-- 
Glenn McAllister     <[EMAIL PROTECTED]>      +1 416 348 1594
SOMA Networks, Inc.  http://www.somanetworks.com/  +1 416 977 1414

   Asking a writer what he thinks about criticism is like asking a
   lamppost what it feels about dogs.
                                                     - John Osborne


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Reply via email to