Bug 1327200

Summary:	net-snmp crashes in netsnmp_copy_fd_set_to_large_fd_set
Product:	Red Hat Enterprise Linux 7	Reporter:	Dalibor Pospíšil <dapospis>
Component:	net-snmp	Assignee:	Josef Ridky <jridky>
Status:	CLOSED ERRATA	QA Contact:	Jan Blazek <jblazek>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.2	CC:	jridky, ksrot, ovasik
Target Milestone:	rc	Keywords:	EasyFix, Patch
Target Release:	---
Hardware:	Unspecified
OS:	Linux
Whiteboard:
Fixed In Version:	net-snmp-5.7.2-27.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:	1261727	Environment:
Last Closed:	2017-08-01 15:58:57 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1380364

Description Dalibor Pospíšil 2016-04-14 12:35:33 UTC

+++ This bug was initially created as a clone of Bug #1261727 +++

Description of problem:
net-snmp dies with buffer overflow
HACK: fake netsnmp_close_fds called
NET-SNMP version 5.7.2
*** buffer overflow detected ***: snmpd terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x7f78f0a87b37]
/lib64/libc.so.6(+0x10bcf0)[0x7f78f0a85cf0]
/lib64/libc.so.6(+0x10daa7)[0x7f78f0a87aa7]
/lib64/libnetsnmp.so.31(netsnmp_large_fd_set_resize+0x71)[0x7f78f2459e41]
/lib64/libnetsnmp.so.31(netsnmp_large_fd_setfd+0x24)[0x7f78f245a054]
/lib64/libnetsnmp.so.31(snmp_sess_select_info2_flags+0xa5)[0x7f78f243abc5]
snmpd(+0x3fdd)[0x7f78f3456fdd]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f78f099bb15]
snmpd(+0x4a9d)[0x7f78f3457a9d]
======= Memory map: ========
7f78e574b000-7f78e5760000 r-xp 00000000 fd:00 34857959                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f78e5760000-7f78e595f000 ---p 00015000 fd:00 34857959                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f78e595f000-7f78e5960000 r--p 00014000 fd:00 34857959                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f78e5960000-7f78e5961000 rw-p 00015000 fd:00 34857959                   /usr/lib64/libgcc_s-4.8.5-20150702.so.1
7f78e5961000-7f78ebe88000 r--p 00000000 fd:00 17242460                   /usr/lib/locale/locale-archive
7f78ebe88000-7f78ebf01000 r-xp 00000000 fd:00 33600862                   /usr/lib64/libfreeblpriv3.so
7f78ebf01000-7f78ec100000 ---p 00079000 fd:00 33600862                   /usr/lib64/libfreeblpriv3.so
7f78ec100000-7f78ec103000 r--p 00078000 fd:00 33600862                   /usr/lib64/libfreeblpriv3.so
7f78ec103000-7f78ec104000 rw-p 0007b000 fd:00 33600862                   /usr/lib64/libfreeblpriv3.so
7f78ec104000-7f78ec108000 rw-p 00000000 00:00 0 
7f78ec108000-7f78ec1b9000 r-xp 00000000 fd:00 34856002                   /usr/lib64/libsqlite3.so.0.8.6
7f78ec1b9000-7f78ec3b8000 ---p 000b1000 fd:00 34856002                   /usr/lib64/libsqlite3.so.0.8.6
7f78ec3b8000-7f78ec3ba000 r--p 000b0000 fd:00 34856002                   /usr/lib64/libsqlite3.so.0.8.6
7f78ec3ba000-7f78ec3bd000 rw-p 000b2000 fd:00 34856002                   /usr/lib64/libsqlite3.so.0.8.6
7f78ec3bd000-7f78ec3f9000 r-xp 00000000 fd:00 33910053                   /usr/lib64/libsoftokn3.so
7f78ec3f9000-7f78ec5f9000 ---p 0003c000 fd:00 33910053                   /usr/lib64/libsoftokn3.so
7f78ec5f9000-7f78ec5fa000 r--p 0003c000 fd:00 33910053                   /usr/lib64/libsoftokn3.so
7f78ec5fa000-7f78ec5fb000 rw-p 0003d000 fd:00 33910053                   /usr/lib64/libsoftokn3.so
7f78ec5fb000-7f78ec607000 r-xp 00000000 fd:00 33600888                   /usr/lib64/libnss_files-2.17.so
7f78ec607000-7f78ec806000 ---p 0000c000 fd:00 33600888                   /usr/lib64/libnss_files-2.17.so
7f78ec806000-7f78ec807000 r--p 0000b000 fd:00 33600888                   /usr/lib64/libnss_files-2.17.so
7f78ec807000-7f78ec808000 rw-p 0000c000 fd:00 33600888                   /usr/lib64/libnss_files-2.17.so
7f78ec808000-7f78ec80e000 rw-p 00000000 00:00 0 
7f78ec80e000-7f78ec815000 r-xp 00000000 fd:00 33708759                   /usr/lib64/librt-2.17.so
7f78ec815000-7f78eca14000 ---p 00007000 fd:00 33708759                   /usr/lib64/librt-2.17.so
7f78eca14000-7f78eca15000 r--p 00006000 fd:00 33708759                   /usr/lib64/librt-2.17.so
7f78eca15000-7f78eca16000 rw-p 00007000 fd:00 33708759                   /usr/lib64/librt-2.17.so
7f78eca16000-7f78eca19000 r-xp 00000000 fd:00 33933416                   /usr/lib64/libkeyutils.so.1.5
7f78eca19000-7f78ecc18000 ---p 00003000 fd:00 33933416                   /usr/lib64/libkeyutils.so.1.5
7f78ecc18000-7f78ecc19000 r--p 00002000 fd:00 33933416                   /usr/lib64/libkeyutils.so.1.5
7f78ecc19000-7f78ecc1a000 rw-p 00003000 fd:00 33933416                   /usr/lib64/libkeyutils.so.1.5
7f78ecc1a000-7f78ecc27000 r-xp 00000000 fd:00 34705413                   /usr/lib64/libkrb5support.so.0.1
7f78ecc27000-7f78ece27000 ---p 0000d000 fd:00 34705413                   /usr/lib64/libkrb5support.so.0.1
7f78ece27000-7f78ece28000 r--p 0000d000 fd:00 34705413                   /usr/lib64/libkrb5support.so.0.1
7f78ece28000-7f78ece29000 rw-p 0000e000 fd:00 34705413                   /usr/lib64/libkrb5support.so.0.1
7f78ece29000-7f78ece2d000 r-xp 00000000 fd:00 33802202                   /usr/lib64/libattr.so.1.1.0
7f78ece2d000-7f78ed02c000 ---p 00004000 fd:00 33802202                   /usr/lib64/libattr.so.1.1.0
7f78ed02c000-7f78ed02d000 r--p 00003000 fd:00 33802202                   /usr/lib64/libattr.so.1.1.0
7f78ed02d000-7f78ed02e000 rw-p 00004000 fd:00 33802202                   /usr/lib64/libattr.so.1.1.0
7f78ed02e000-7f78ed08e000 r-xp 00000000 fd:00 33742981                   /usr/lib64/libpcre.so.1.2.0
7f78ed08e000-7f78ed28d000 ---p 00060000 fd:00 33742981                   /usr/lib64/libpcre.so.1.2.0
7f78ed28d000-7f78ed28e000 r--p 0005f000 fd:00 33742981                   /usr/lib64/libpcre.so.1.2.0
7f78ed28e000-7f78ed28f000 rw-p 00060000 fd:00 33742981                   /usr/lib64/libpcre.so.1.2.0
7f78ed28f000-7f78ed2c8000 r-xp 00000000 fd:00 33717007                   /usr/lib64/libnspr4.so
7f78ed2c8000-7f78ed4c8000 ---p 00039000 fd:00 33717007                   /usr/lib64/libnspr4.so
7f78ed4c8000-7f78ed4c9000 r--p 00039000 fd:00 33717007                   /usr/lib64/libnspr4.so
7f78ed4c9000-7f78ed4cb000 rw-p 0003a000 fd:00 33717007                   /usr/lib64/libnspr4.so
7f78ed4cb000-7f78ed4cd000 rw-p 00000000 00:00 0 
7f78ed4cd000-7f78ed4d0000 r-xp 00000000 fd:00 33717019                   /usr/lib64/libplds4.so
7f78ed4d0000-7f78ed6cf000 ---p 00003000 fd:00 33717019                   /usr/lib64/libplds4.so
7f78ed6cf000-7f78ed6d0000 r--p 00002000 fd:00 33717019                   /usr/lib64/libplds4.so
7f78ed6d0000-7f78ed6d1000 rw-p 00003000 fd:00 33717019                   /usr/lib64/libplds4.so
7f78ed6d1000-7f78ed6d5000 r-xp 00000000 fd:00 33717018                   /usr/lib64/libplc4.so
7f78ed6d5000-7f78ed8d4000 ---p 00004000 fd:00 33717018                   /usr/lib64/libplc4.so
7f78ed8d4000-7f78ed8d5000 r--p 00003000 fd:00 33717018                   /usr/lib64/libplc4.so
7f78ed8d5000-7f78ed8d6000 rw-p 00004000 fd:00 33717018                   /usr/lib64/libplc4.so
7f78ed8d6000-7f78ed8fc000 r-xp 00000000 fd:00 33717017                   /usr/lib64/libnssutil3.so
7f78ed8fc000-7f78edafb000 ---p 00026000 fd:00 33717017                   /usr/lib64/libnssutil3.so
7f78edafb000-7f78edb01000 r--p 00025000 fd:00 33717017                   /usr/lib64/libnssutil3.so/usr/share/beakerlib/testing.sh: line 779: 11411 Aborted                 (core dumped) LD_PRELOAD=./fakeclosefds.so python ./runsnmpd.py


Version-Release number of selected component (if applicable):
net-snmp-5.7.2-24.el7

How reproducible:
always

Steps to Reproduce:

using linked test case (reproducer from  https://bugzilla.redhat.com/show_bug.cgi?id=1261727#c13)

Comment 7 errata-xmlrpc 2017-08-01 15:58:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1863