Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 870333 Details for
Bug 1038007
CVE-2012-6151 net-snmp: snmpd crashes/hangs when AgentX subagent times-out
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
backported patch
net-snmp-5.3.2.2-agentx-disconnect-crash.patch (text/plain), 9.32 KB, created by
Jan Safranek
on 2014-03-04 11:26:00 UTC
(
hide
)
Description:
backported patch
Filename:
MIME Type:
Creator:
Jan Safranek
Created:
2014-03-04 11:26:00 UTC
Size:
9.32 KB
patch
obsolete
>1038007 - (CVE-2012-6151) CVE-2012-6151 net-snmp: snmpd crashes/hangs when AgentX subagent times-out >Based on usptream commit 793d596838ff7cb48a73b675d62897c56c9e62df, >heavily backported to net-snmp-5.3.2.2 > >diff -up net-snmp-5.3.2.2/agent/mibgroup/agentx/master_admin.ctest net-snmp-5.3.2.2/agent/mibgroup/agentx/master_admin.c >--- net-snmp-5.3.2.2/agent/mibgroup/agentx/master_admin.ctest 2007-01-22 17:19:47.000000000 +0100 >+++ net-snmp-5.3.2.2/agent/mibgroup/agentx/master_admin.c 2014-01-10 12:04:11.168841264 +0100 >@@ -161,6 +161,7 @@ close_agentx_session(netsnmp_session * s > for (sp = session->subsession; sp != NULL; sp = sp->next) { > > if (sp->sessid == sessid) { >+ netsnmp_remove_delegated_requests_for_session(sp); > unregister_mibs_by_session(sp); > unregister_index_by_session(sp); > snmp_call_callbacks(SNMP_CALLBACK_APPLICATION, >diff -up net-snmp-5.3.2.2/agent/mibgroup/agentx/master.ctest net-snmp-5.3.2.2/agent/mibgroup/agentx/master.c >--- net-snmp-5.3.2.2/agent/mibgroup/agentx/master.ctest 2007-08-16 15:25:54.000000000 +0200 >+++ net-snmp-5.3.2.2/agent/mibgroup/agentx/master.c 2014-01-10 12:04:11.169841263 +0100 >@@ -226,7 +226,7 @@ agentx_got_response(int operation, > if (!cache) { > DEBUGMSGTL(("agentx/master", "response too late on session %08p\n", > session)); >- return 0; >+ return 1; > } > requests = cache->requests; > >diff -up net-snmp-5.3.2.2/agent/snmp_agent.ctest net-snmp-5.3.2.2/agent/snmp_agent.c >--- net-snmp-5.3.2.2/agent/snmp_agent.ctest 2014-01-10 12:03:46.486884660 +0100 >+++ net-snmp-5.3.2.2/agent/snmp_agent.c 2014-01-10 12:03:02.000000000 +0100 >@@ -1336,6 +1336,7 @@ free_agent_snmp_session(netsnmp_agent_se > netsnmp_free_cachemap(asp->cache_store); > asp->cache_store = NULL; > } >+ agent_snmp_session_release_cancelled(asp); > SNMP_FREE(asp); > } > >@@ -1347,6 +1348,10 @@ netsnmp_check_for_delegated(netsnmp_agen > > if (NULL == asp->treecache) > return 0; >+ >+ if (agent_snmp_session_is_cancelled(asp)) { >+ return 0; >+ } > > for (i = 0; i <= asp->treecache_num; i++) { > for (request = asp->treecache[i].requests_begin; request; >@@ -1425,39 +1431,46 @@ int > netsnmp_remove_delegated_requests_for_session(netsnmp_session *sess) > { > netsnmp_agent_session *asp; >- int count = 0; >+ int total_count = 0; > > for (asp = agent_delegated_list; asp; asp = asp->next) { > /* > * check each request > */ >+ int i; >+ int count = 0; > netsnmp_request_info *request; >- for(request = asp->requests; request; request = request->next) { >- /* >- * check session >- */ >- netsnmp_assert(NULL!=request->subtree); >- if(request->subtree->session != sess) >- continue; >- >- /* >- * matched! mark request as done >- */ >- netsnmp_request_set_error(request, SNMP_ERR_GENERR); >- ++count; >+ for (i = 0; i <= asp->treecache_num; i++) { >+ for (request = asp->treecache[i].requests_begin; request; >+ request = request->next) { >+ /* >+ * check session >+ */ >+ netsnmp_assert(NULL!=request->subtree); >+ if(request->subtree->session != sess) >+ continue; >+ /* >+ * matched! mark request as done >+ */ >+ netsnmp_request_set_error(request, SNMP_ERR_GENERR); >+ ++count; >+ } >+ } >+ if (count) { >+ agent_snmp_session_mark_cancelled(asp); >+ total_count += count; > } > } >- > /* > * if we found any, that request may be finished now > */ >- if(count) { >+ if(total_count) { > DEBUGMSGTL(("snmp_agent", "removed %d delegated request(s) for session " >- "%08p\n", count, sess)); >- netsnmp_check_outstanding_agent_requests(); >+ "%8p\n", total_count, sess)); >+ netsnmp_check_delegated_requests(); > } >- >- return count; >+ >+ return total_count; > } > > int >@@ -2606,19 +2619,11 @@ handle_var_requests(netsnmp_agent_sessio > return final_status; > } > >-/* >- * loop through our sessions known delegated sessions and check to see >- * if they've completed yet. If there are no more delegated sessions, >- * check for and process any queued requests >- */ > void >-netsnmp_check_outstanding_agent_requests(void) >+netsnmp_check_delegated_requests(void) > { > netsnmp_agent_session *asp, *prev_asp = NULL, *next_asp = NULL; > >- /* >- * deal with delegated requests >- */ > for (asp = agent_delegated_list; asp; asp = next_asp) { > next_asp = asp->next; /* save in case we clean up asp */ > if (!netsnmp_check_for_delegated(asp)) { >@@ -2657,6 +2662,22 @@ netsnmp_check_outstanding_agent_requests > prev_asp = asp; > } > } >+} >+ >+/* >+ * loop through our sessions known delegated sessions and check to see >+ * if they've completed yet. If there are no more delegated sessions, >+ * check for and process any queued requests >+ */ >+void >+netsnmp_check_outstanding_agent_requests(void) >+{ >+ netsnmp_agent_session *asp; >+ >+ /* >+ * deal with delegated requests >+ */ >+ netsnmp_check_delegated_requests(); > > /* > * if we are processing a set and there are more delegated >@@ -2685,7 +2706,8 @@ netsnmp_check_outstanding_agent_requests > > netsnmp_processing_set = netsnmp_agent_queued_list; > DEBUGMSGTL(("snmp_agent", "SET request remains queued while " >- "delegated requests finish, asp = %08p\n", asp)); >+ "delegated requests finish, asp = %08p\n", >+ agent_delegated_list)); > break; > } > >@@ -2745,6 +2767,10 @@ check_delayed_request(netsnmp_agent_sess > case SNMP_MSG_GETBULK: > case SNMP_MSG_GETNEXT: > netsnmp_check_all_requests_status(asp, 0); >+ if (agent_snmp_session_is_cancelled(asp)) { >+ DEBUGMSGTL(("snmp_agent","canceling next walk for asp %p\n", asp)); >+ break; >+ } > handle_getnext_loop(asp); > if (netsnmp_check_for_delegated(asp) && > netsnmp_check_transaction_id(asp->pdu->transid) != >@@ -3701,3 +3728,71 @@ netsnmp_set_all_requests_error(netsnmp_a > return error_value; > } > /** @} */ >+ >+ >+/* >+ * Ugly hack to fix bug #950602 and preserve ABI >+ * (the official patch adds netsnmp_agent_session->flags). >+ * We must create parallel database of netsnmp_agent_sessions >+ * and put cancelled requests there instead of marking >+ * netsnmp_agent_session->flags. >+ */ >+static netsnmp_agent_session **cancelled_agent_snmp_sessions; >+static int cancelled_agent_snmp_sessions_count; >+static int cancelled_agent_snmp_sessions_max; >+ >+int >+agent_snmp_session_mark_cancelled(netsnmp_agent_session *session) >+{ >+ DEBUGMSGTL(("agent:cancelled", "Cancelling session %p\n", session)); >+ if (!session) >+ return 0; >+ if (cancelled_agent_snmp_sessions_count + 1 > cancelled_agent_snmp_sessions_max) { >+ netsnmp_agent_session **aux; >+ int max = cancelled_agent_snmp_sessions_max + 10; >+ aux = realloc(cancelled_agent_snmp_sessions, sizeof(netsnmp_agent_session*) * max); >+ if (!aux) >+ return SNMP_ERR_GENERR; >+ cancelled_agent_snmp_sessions = aux; >+ cancelled_agent_snmp_sessions_max = max; >+ } >+ cancelled_agent_snmp_sessions[cancelled_agent_snmp_sessions_count] = session; >+ cancelled_agent_snmp_sessions_count++; >+ return 0; >+} >+ >+int >+agent_snmp_session_is_cancelled(netsnmp_agent_session *session) >+{ >+ int i; >+ for (i=0; i<cancelled_agent_snmp_sessions_count; i++) >+ if (cancelled_agent_snmp_sessions[i] == session) { >+ DEBUGMSGTL(("agent:cancelled", "session %p is cancelled\n", session)); >+ return TRUE; >+ } >+ return FALSE; >+} >+ >+int >+agent_snmp_session_release_cancelled(netsnmp_agent_session *session) >+{ >+ int i, j; >+ >+ if (!session) >+ return 0; >+ >+ DEBUGMSGTL(("agent:cancelled", "Removing session %p\n", session)); >+ >+ /* delete the session from cancelled_agent_snmp_sessions */ >+ for (i=0, j=0; j<cancelled_agent_snmp_sessions_count; i++, j++) >+ if (cancelled_agent_snmp_sessions[j] == session) >+ i--; /* don't increase i in this loop iteration */ >+ else >+ cancelled_agent_snmp_sessions[i] = cancelled_agent_snmp_sessions[j]; >+ >+ cancelled_agent_snmp_sessions_count = i; >+ >+ for (; i< cancelled_agent_snmp_sessions_max; i++) >+ cancelled_agent_snmp_sessions[i] = NULL; >+ return 0; >+} >diff -up net-snmp-5.3.2.2/include/net-snmp/agent/snmp_agent.htest net-snmp-5.3.2.2/include/net-snmp/agent/snmp_agent.h >--- net-snmp-5.3.2.2/include/net-snmp/agent/snmp_agent.htest 2007-01-03 17:39:48.000000000 +0100 >+++ net-snmp-5.3.2.2/include/net-snmp/agent/snmp_agent.h 2014-01-10 12:04:11.171841259 +0100 >@@ -231,6 +231,7 @@ extern "C" { > int init_master_agent(void); > void shutdown_master_agent(void); > int agent_check_and_process(int block); >+ void netsnmp_check_delegated_requests(void); > void netsnmp_check_outstanding_agent_requests(void); > > int netsnmp_request_set_error(netsnmp_request_info *request,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=870333">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1038007
:
870332
| 870333