Red Hat Bugzilla – Bug 79028
SEGV in Net-SNMP
Last modified: 2015-03-04 20:11:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2) Gecko/20021127
Description of problem:
There is an off-by-one error in the SNMP agent's source code. Anyone who can
make a GET request to the server can crash it.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Actual Results: N/A
Expected Results: N/A
Around agent/snmpd_agent.c:1490 where the agent grows its cache, it memsets all
but the last element in the expanded array to 0x00.
To fix it, change line 1490 from
sizeof(netsnmp_tree_cache) * (CACHE_GROW_SIZE - 1));
sizeof(netsnmp_tree_cache) * CACHE_GROW_SIZE );
This problem is also present in Net-SNMP 5.0.6, although the line moved down
Contact me if you need a demonstration program that can reliably crash snmpd.
Is this a known public issue (has it been reported to Net-SNMP folks)? Any
references or details about how this was reported and when would help us with
I added it to the Net-SNMP bug tracker yesterday. It's number is 648515. Wes
Hardaker says a fix was already in the CVS tree and it will be in the
forthcoming 5.0.7 release.
Here's a link to the Sourceforge bug:
Mark is this fixed in the latest snmp we pushed if so can you close it
Alan the bugzilla womble
Yes, fixed by erratum
(This bug should have got automatically updated when the erratum was pushed,
will look into this as a process problem).