Bug 1072044

Summary: snmptrapd segfaults under specific conditions
Product: Red Hat Enterprise Linux 5 Reporter: viliam.pucik
Component: net-snmpAssignee: Jan Safranek <jsafrane>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.10CC: ksrot, viliam.pucik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-02 13:00:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1072778    
Attachments:
Description Flags
Fixes newSVpv calls none

Description viliam.pucik 2014-03-03 18:41:20 UTC 
Created attachment 870071 [details]
Fixes newSVpv calls

Description of problem:

Sending SNMP trap with empty community string crashes snmptrapd if Perl handler is enabled.

Version-Release number of selected component (if applicable):

net-snmp-perl-5.3.2.2

How reproducible:

Steps to Reproduce:
1. Install net-snmp-perl:

yum install net-snmp-perl

2. Enable Perl handler for snmptrapd:

echo 'NetSNMP::TrapReceiver::register( "all", sub {} );' > /etc/snmp/handler.pl
echo 'disableAuthorization yes' > /etc/snmp/snmptrapd.conf
echo 'perl do "/etc/snmp/handler.pl"' >> /etc/snmp/snmptrapd.conf

4. Start snmptrapd:

/usr/sbin/snmptrapd -C -c /etc/snmp/snmptrapd.conf -n -Le -f


3. Submit a trap with empty community string:

snmptrap -v 2c -c "" localhost "" .1

Actual results:

snmptrapd segfaults.

Expected results:

snmptrapd should continue running.

Additional info:

The issues is caused by Perl's 5.8.8 newSVpv() function which crashes if the first argument is NULL (https://sourceforge.net/p/net-snmp/patches/1275/). Attached is a patch for RHEL5.
Comment 3 Jan Safranek 2014-03-06 08:41:56 UTC 
Thanks for the bug report and the patch. I've pushed the patch upstream.
Comment 4 RHEL Program Management 2014-03-07 12:12:01 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in the  last planned RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX. To request that Red Hat re-consider this request, please re-open the bugzilla via  appropriate support channels and provide additional business and/or technical details about its importance to you.
Comment 5 Jan Safranek 2014-03-07 12:35:06 UTC 
Villiam,

the comment #4 is automatically generated. While this bug report may be closed soon, it has security implications, which are tracked in separate bug #1072778 and the crashing snmptrapd _should_ be fixed in RHEL 5 eventually.

[yeah, messy, but Bugzilla is an engineering tool...]
Comment 6 RHEL Program Management 2014-06-02 13:00:36 UTC 
Thank you for submitting this request for inclusion in Red Hat Enterprise Linux 5. We've carefully evaluated the request, but are unable to include it in RHEL5 stream. If the issue is critical for your business, please provide additional business justification through the appropriate support channels (https://access.redhat.com/site/support).
Comment 7 viliam.pucik 2015-01-12 19:27:30 UTC 
OK, thank you Jan for including the patch in the upstream.