Bugs discovered by a research group at CWRU

Fri, 28 Aug 2009 13:01:00 -0700 

Dear Net-SNMP developers:



I am a Ph.D student in the Software Engineering Research Group in Case
Western Reserve University, under the instruction of  Prof. Andy Podgurski.
In our recent research we analyzed some of your fixed bugs in your issued
data base as well as some revisions which indicate fixing a bug, and try to
find out whether there are similar bugs left in the code base which are left
unfixed. We applied our approach in your newest release Net-SNMP 5.3.3 as
well as the trunk code, and we have identified a few potential bugs as
follows.



It would be greatly appreciated if you can reply to this email after you
have gone over the bugs and tell  us whether you have confirmed any of them,
since these information are really valuable for us for evaluating our
current method.







*1. Analyzed bug-fix: 2184039 (convexity fixes: missing frees on errors and
error checks)*

(
http://sourceforge.net/tracker/index.php?func=detail&aid=2184039&group_id=12694&atid=312694)


The log of this revision is as follows:

CHANGES: build: PATCH: 2184039: misc fixes for freeing memory during error
conditions.



**************************original bug-fix**********************************

Filename: agent/helpers/table_dataset.c, Function:
netsnmp_config_parse_table_set ()



965     table_set = netsnmp_create_table_data_set(line);

966

967     /*

968      * check for augments indexes

969      */

970      if (NULL != tp->augments) {

971          oid             name[MAX_OID_LEN];

972          size_t          name_length = MAX_OID_LEN;

973          struct tree    *tp2;

974

975          if (!snmp_parse_oid(tp->augments, name, &name_length)) {

976              config_pwarn("I can't parse the augment tabel name");

977              snmp_log(LOG_WARNING, "  can't parse %s\n", tp->augments);

978 +           SNMP_FREE (table_set);

979             return;

980         }



**************************discovered possible new bug(s)***********************

(1.1) Filename: agent/mibgroup/notification-log-mib/notification_log.c,
Function: initialize_table_nlmLogTable ()

354     /*

355      * create the table structure itself

356      */

357     nlmLogTable = netsnmp_create_table_data_set("nlmLogTable");

358

Comments: Following the original bug-fix pattern, we believe that the
variable “nlmLogTable” in line 357 should be freed at the end using the
function “SNMP_FREE (nlmLogTable)”





(1.2) Filename: agent/mibgroup/notification-log-mib/notification_log.c,
Function: initialize_table_nlmLogVariableTable ()

191     /*

192      * create the table structure itself

193      */

194     table_set = netsnmp_create_table_data_set("nlmLogVariableTable");

195     nlmLogVarTable = table_set;

196     nlmLogVarTable->table->store_indexes = 1;

197

Comments: We believe that the variable “table_set” in line 194 should be
freed at the end using the function “SNMP_FREE (table_set)”









*2. Analyzed bug-fix: 1912647 (memory leak in agentx)*

(
http://sourceforge.net/tracker/index.php?func=detail&aid=1912647&group_id=12694&atid=112694)


The log of this revision is as follows:

CHANGES: snmpd: BUG: 1912647: Fix memory leak following failed requests. Fix
provided by Anton Pak



**************************original bug-fix**********************************

447 +   int result;

……..

610 +   result = snmp_async_send(ax_session, pdu, agentx_got_response,
cb_data);

611

612 +   if (result == 0 ) {

613 +       snmp_free_pdu( pdu );

614 +   }



**************************discovered possible new bug(s)***********************

(2.1) Filename: agent/mibgroup/ucd-snmp/proxy.c, Function: proxy_handler ()

443     /*

444      * send the request out

445      */

446     DEBUGMSGTL(("proxy", "sending pdu\n"));

447     snmp_async_send(sp->sess, pdu, proxy_got_response,

448                     netsnmp_create_delegated_cache(handler, reginfo,

449                                                    reqinfo, requests,

450                                                    (void *) sp));

451

452     /* Free any special parameters generated on the session */

453     proxy_free_filled_in_session_args(sp->sess, (void **)&configured);

454

455     return SNMP_ERR_NOERROR;

Comments: We believe that the return value of function “snmp_async_send” in
line 447 should be checked. If the return value is 0, Net-SNMP should call
the function “snmp_free_pdu( pdu )” to free the memory.





Thank you very much!



Sincerely,

Gang Shu



Computer Science Division, EECS

513 Olin Building

Case Western Reserve University

10900 Euclid Avenue

Cleveland, OH 44106

Email: [email protected]

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders

Reply via email to