Package: net-snmp Version: 5.7.2.1~dfsg-5 Severity: important Tags: patch Hi,
normally, request ids in snmp get requests are big random integer values. But if the client application uses zero in this protocol field, the server is confused, internally using the request id 0 also as error return value of a C function, leaking memory since the request is valid and answered at the same time. See also http://sourceforge.net/p/net-snmp/bugs/2387/ The patch from there fixes the issue. (The upstream bug is open and patched for quite some time now.) Attaching a local version of it that I tested successfully. To reproduce, you can use the attached example snmp requests like this: # while true ; do nc --send-only -u theserver 161 < packet-request-id-zero.udp ; done # while true ; do nc --send-only -u theserver 161 < packet-request-id-nonzero.udp ; done In the first case, the snmpd process grows linearly and fills up the system after a while, depending on local resources. It doesn't matter if the respective OID is registered in the server, or returns an error or not. Thanks in advance, Roland -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.12-1-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash
Description: SNMP GET REQUESTS with REQUEST ID 0 triggered a memory leak that
is fixed by this patch
--- netsnmp-5.7.2/snmplib/snmp_api.c.orig 2014-04-04 13:19:13.650991417 +0200
+++ netsnmp-5.7.2/snmplib/snmp_api.c 2014-04-04 13:20:02.140469625 +0200
@@ -4998,6 +4998,9 @@
/*
* No response expected...
*/
+ if ((reqid == 0) && (pdu->command == SNMP_MSG_RESPONSE)) {
+ reqid = 2;
+ }
if (reqid) {
/*
* Free v1 or v2 TRAP PDU iff no error
packet-request-id-zero.udp
Description: Binary data
packet-request-id-nonzero.udp
Description: Binary data
