* [ECOS] SNMP GETBULK leaks 50k per request -- security issue
@ 2007-06-26 11:14 Tad
2007-06-26 23:07 ` [ECOS] " Tad
0 siblings, 1 reply; 3+ messages in thread
From: Tad @ 2007-06-26 11:14 UTC (permalink / raw)
To: ecos-discuss
A GETBULK request requiring > 8k bytes in the response
(snmp_api.c:PACKET_LENGTH or sendto max)
forgets to free the 50k pdu malloc'ed.
Should be able to crash any ecos snmp system with a couple:
bulkget -Cr50 -v 2c -c public 192.168.1.199 system system system system
system icmp system icmp
which will eat 5 retries x50k at a time
Basically, the snmp_agent.c we're using is POS full of memory leaks if
snmp_send or other errors occur.
I grabbed the latest v4.2 branch from SF of snmp_agent.c, snmp_agent.h,
and snmp_api.h which seem to compile for ecos with virtually no changes
(used the ECOS includes for snmp_agent.c)
The latest snmp_agent.c seems to do a nice job of cleaning up memory and
has a slightly faster SET operation.
http://net-snmp.cvs.sourceforge.net/net-snmp/net-snmp/agent/snmp_agent.c?view=log&r1=1.100&pathrev=V4-2-patches
et. al.
--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ECOS] Re: SNMP GETBULK leaks 50k per request -- security issue
2007-06-26 11:14 [ECOS] SNMP GETBULK leaks 50k per request -- security issue Tad
@ 2007-06-26 23:07 ` Tad
2007-06-29 10:04 ` Tad
0 siblings, 1 reply; 3+ messages in thread
From: Tad @ 2007-06-26 23:07 UTC (permalink / raw)
To: ecos-discuss
...when snmp_send() fails.
Tad wrote:
> A GETBULK request requiring > 8k bytes in the response
> (snmp_api.c:PACKET_LENGTH or sendto max)
> forgets to free the 50k pdu malloc'ed.
>
> Should be able to crash any ecos snmp system with a couple:
> bulkget -Cr50 -v 2c -c public 192.168.1.199 system system system
> system system icmp system icmp
> which will eat 5 retries x50k at a time
>
> Basically, the snmp_agent.c we're using is POS full of memory leaks if
> snmp_send or other errors occur.
>
> I grabbed the latest v4.2 branch from SF of snmp_agent.c,
> snmp_agent.h, and snmp_api.h which seem to compile for ecos with
> virtually no changes (used the ECOS includes for snmp_agent.c)
>
> The latest snmp_agent.c seems to do a nice job of cleaning up memory
> and has a slightly faster SET operation.
>
> http://net-snmp.cvs.sourceforge.net/net-snmp/net-snmp/agent/snmp_agent.c?view=log&r1=1.100&pathrev=V4-2-patches
>
> et. al.
>
--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ECOS] Re: SNMP GETBULK leaks 50k per request -- security issue
2007-06-26 23:07 ` [ECOS] " Tad
@ 2007-06-29 10:04 ` Tad
0 siblings, 0 replies; 3+ messages in thread
From: Tad @ 2007-06-29 10:04 UTC (permalink / raw)
To: ecos-discuss
If patched, snmp_api.c also needs 3 changes shown in SF tree. 2 points
initialize ->data = 0 and snmp_free_var() free's if data != 0.
Tad wrote:
> ...when snmp_send() fails.
>
> Tad wrote:
>> A GETBULK request requiring > 8k bytes in the response
>> (snmp_api.c:PACKET_LENGTH or sendto max)
>> forgets to free the 50k pdu malloc'ed.
>>
>> Should be able to crash any ecos snmp system with a couple:
>> bulkget -Cr50 -v 2c -c public 192.168.1.199 system system system
>> system system icmp system icmp
>> which will eat 5 retries x50k at a time
>>
>> Basically, the snmp_agent.c we're using is POS full of memory leaks
>> if snmp_send or other errors occur.
>>
>> I grabbed the latest v4.2 branch from SF of snmp_agent.c,
>> snmp_agent.h, and snmp_api.h which seem to compile for ecos with
>> virtually no changes (used the ECOS includes for snmp_agent.c)
>>
>> The latest snmp_agent.c seems to do a nice job of cleaning up memory
>> and has a slightly faster SET operation.
>>
>> http://net-snmp.cvs.sourceforge.net/net-snmp/net-snmp/agent/snmp_agent.c?view=log&r1=1.100&pathrev=V4-2-patches
>>
>> et. al.
>>
>
--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-06-28 22:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-06-26 11:14 [ECOS] SNMP GETBULK leaks 50k per request -- security issue Tad
2007-06-26 23:07 ` [ECOS] " Tad
2007-06-29 10:04 ` Tad
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).