From nobody@FreeBSD.org  Mon Nov 15 12:28:05 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 21AEC106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 15 Nov 2010 12:28:05 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id EB1D48FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 15 Nov 2010 12:28:04 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id oAFCS4tE034994
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 15 Nov 2010 12:28:04 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id oAFCS46Z034993;
	Mon, 15 Nov 2010 12:28:04 GMT
	(envelope-from nobody)
Message-Id: <201011151228.oAFCS46Z034993@www.freebsd.org>
Date: Mon, 15 Nov 2010 12:28:04 GMT
From: Sergey Svishchev <svs@ropnet.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: bsnmpd fails with stack overflow during GETBULK of dskTable
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         152259
>Category:       bin
>Synopsis:       bsnmpd(1) fails with stack overflow during GETBULK of dskTable
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ae
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 15 12:30:10 UTC 2010
>Closed-Date:    
>Last-Modified:  Thu May 16 22:30:00 UTC 2013
>Originator:     Sergey Svishchev
>Release:        8.1
>Organization:
>Environment:
>Description:
"snmpbulkget -v 2c -c public -Cr999 ... dskTable" causes bsnmpd to exhaust stack and crash.
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->ae 
Responsible-Changed-By: ae 
Responsible-Changed-When: Wed Oct 26 06:51:19 UTC 2011 
Responsible-Changed-Why:  
Take. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=152259 

From: Luiz Otavio O Souza <loos@netdigit.com.br>
To: bug-followup@FreeBSD.org,
 svs@ropnet.ru
Cc:  
Subject: Re: bin/152259: bsnmpd(1) fails with stack overflow during GETBULK of dskTable
Date: Thu, 16 May 2013 19:20:32 -0300

 Hello,
 
 For some reason the example from this PR don't crash bsnmpd anymore.
 
 garga@ told me about this problem and he found another reliable way to =
 crash bsnmpd:
 
 snmpbulkwalk -v 2c -c public -Cr101 bsnmpd_IP if
 
 If you use any number up to 100 on -Cr option it won't crash, but any =
 number bigger than that will make it crash.
 
 After dig a little bit i found the cause, the bindings inside the =
 snap_pdu structure is defined as:
 
         struct snmp_value       bindings[SNMP_MAX_BINDINGS];
 
 Where SNMP_MAX_BINDINGS is declared as 100 and so every time =
 snmp_getbulk() tries to encode more bindings than SNMP_MAX_BINDINGS it =
 will crash bsnmpd with the stack overflow.
 
 For some unknown reason (at least to me - not enough bsnmp foo from my =
 part) when pdu->type is SNMP_PDU_GETBULK  pdu->error_index is used to =
 specify the number of bindings instead of pdu->nbindings and this =
 bypasses the check for the maximum number of bindings.
 
 I've the following patch which prevents the crash but i'm not sure it is =
 correct:
 
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
 --- contrib/bsnmp/lib/snmp.c    (revision 250700)
 +++ contrib/bsnmp/lib/snmp.c    (working copy)
 @@ -256,7 +256,9 @@
         v =3D pdu->bindings;
         err =3D ASN_ERR_OK;
         while (b->asn_len !=3D 0) {
 -               if (pdu->nbindings =3D=3D SNMP_MAX_BINDINGS) {
 +               if (pdu->nbindings =3D=3D SNMP_MAX_BINDINGS ||
 +                   (pdu->type =3D=3D SNMP_PDU_GETBULK &&
 +                   pdu->error_index > SNMP_MAX_BINDINGS)) {
                         snmp_error("too many bindings (> %u) in PDU",
                             SNMP_MAX_BINDINGS);
                         return (ASN_ERR_FAILED);
 
 
 I would appreciate if someone more clueful about [b]snmpd could take a =
 look.
 
 Thanks,
 Luiz=
>Unformatted:
