From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021127 Description of problem: There is an off-by-one error in the SNMP agent's source code. Anyone who can make a GET request to the server can crash it. Version-Release number of selected component (if applicable): 5.0.1 How reproducible: Always Steps to Reproduce: N/A Actual Results: N/A Expected Results: N/A Additional info: Around agent/snmpd_agent.c:1490 where the agent grows its cache, it memsets all but the last element in the expanded array to 0x00. To fix it, change line 1490 from sizeof(netsnmp_tree_cache) * (CACHE_GROW_SIZE - 1)); to sizeof(netsnmp_tree_cache) * CACHE_GROW_SIZE ); This problem is also present in Net-SNMP 5.0.6, although the line moved down around 1581. Contact me if you need a demonstration program that can reliably crash snmpd.
Is this a known public issue (has it been reported to Net-SNMP folks)? Any references or details about how this was reported and when would help us with any erratum.
I added it to the Net-SNMP bug tracker yesterday. It's number is 648515. Wes Hardaker says a fix was already in the CVS tree and it will be in the forthcoming 5.0.7 release. Here's a link to the Sourceforge bug: https://sourceforge.net/tracker/?func=detail&atid=112694&aid=648515&group_id=12694
Mark is this fixed in the latest snmp we pushed if so can you close it Alan the bugzilla womble
Yes, fixed by erratum http://rhn.redhat.com/errata/RHSA-2002-228.html (This bug should have got automatically updated when the erratum was pushed, will look into this as a process problem).