[Pkg-net-snmp-devel] Bug#746225: snmpd: Memory leak when SNMP GET request id is zero

Roland Stigge stigge at antcom.de
Mon Apr 28 08:47:37 UTC 2014


Package: net-snmp
Version: 5.7.2.1~dfsg-5
Severity: important
Tags: patch

Hi,

normally, request ids in snmp get requests are big random integer values. But
if the client application uses zero in this protocol field, the server is
confused, internally using the request id 0 also as error return value of a C
function, leaking memory since the request is valid and answered at the same
time.

See also http://sourceforge.net/p/net-snmp/bugs/2387/

The patch from there fixes the issue. (The upstream bug is open and patched for
quite some time now.) Attaching a local version of it that I tested
successfully.

To reproduce, you can use the attached example snmp requests like this:

# while true ; do nc --send-only -u theserver 161 < packet-request-id-zero.udp ; done

# while true ; do nc --send-only -u theserver 161 < packet-request-id-nonzero.udp ; done

In the first case, the snmpd process grows linearly and fills up the system
after a while, depending on local resources.

It doesn't matter if the respective OID is registered in the server, or returns
an error or not.

Thanks in advance,

Roland

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.12-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-request-id-0.patch
Type: text/x-diff
Size: 534 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/attachments/20140428/71c9f20b/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: packet-request-id-zero.udp
Type: application/octet-stream
Size: 47 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/attachments/20140428/71c9f20b/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: packet-request-id-nonzero.udp
Type: application/octet-stream
Size: 50 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-net-snmp-devel/attachments/20140428/71c9f20b/attachment-0001.obj>


More information about the Pkg-net-snmp-devel mailing list