[Bug 258570] bsnmpwalk can crash due to bug in snmp_parse_resp()

From: <bugzilla-noreply_at_freebsd.org>
Date: Sat, 18 Sep 2021 10:58:00 UTC

            Bug ID: 258570
           Summary: bsnmpwalk can crash due to bug in snmp_parse_resp()
           Product: Base System
           Version: 13.0-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu
 Attachment #227978 text/plain
         mime type:

Created attachment 227978
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=227978&action=edit
Fake snmp server to demonstrate bsnmpwalk crash.

snmp_parse_resp() in libbsnmptools contains:

    if (resp->error_status == SNMP_ERR_NOSUCHNAME) {
        warnx("Error - No Such Name");
        return (0);

It should be return(-1). If the name is bad, the return 0
will cause bsnmpwalk to continue with an unchecked reply,
so (for example) if resp.nbindings is zero or huge, this
line will generate a wild pointer:

                &(resp.bindings[resp.nbindings - 1].var), &req);

The attached fake snmp server demonstrates the problem:
% cc bsnmpwalk1.c
% ./a.out &
waiting on port 1610 for a request
% bsnmpwalk -s localhost:1610
SNMP: ignoring trailing junk in message
bsnmpwalk: Error - No Such Name
Bus error (core dumped)

You are receiving this mail because:
You are the assignee for the bug.