Dear NET-SNMP developers,
I am a Ph.D. student at Case Western Reserve University. Our research
group develops an interprocedural analysis approach to discovering
defects in software from source code directly. Some of our previously
reported bugs about your project have been confirmed and fixed by your
group. Your opinions on the reported bugs are very important to our
research. We really appreciate your valuable suggestions about our
report.
Our approach discovered some additional potential bugs in the net-snmp
project (version 5.3.2),as follows. Please shed us some light whether
they are real bugs (or technically they are bugs). Thanks a lot!
Best regards,
Raymond
# 1 (100)
File Name: /snmp/snmplib/snmp_api.c
Function Nam: snmp_pdu_realloc_rbuild()
3395: rc = asn_realloc_rbuild_sequence(pkt, pkt_len, offset, 1,
3396: (u_char) (ASN_SEQUENCE |
3397:
ASN_CONSTRUCTOR),
3398: *offset - start_offset);
Description: We found a rule specifying that an error occurs if
asn_realloc_rbuild_sequence() returns 0. The return value of the
function is not checked in the above code.
=======================================================================
===========
# 2 (125)
File Name: /snmp/apps/snmpnetstat/if.c
Function Nam: sidewaysintpr()
529: netsnmp_query_walk( var, ss );
File Name: /snmp/apps/snmpnetstat/if.c
Function Nam: _set_address()
117: netsnmp_query_walk( addr_if_var, ss );
122: netsnmp_query_walk( addr_mask_var, ss );
Description: We found a rule specifying that an error occurs if
netsnmp_query_walk() returns "!SNMP_ERR_NOERROR". The return value of
the function is not checked in the above code.
=======================================================================
========================
# 3 (164)
File Name: /snmp/snmplib/snmp_api.c
Function Nam: snmp_pdu_parse()
4495: asn_parse_string(var_val, &len, &vp->type, vp-
>val.string,
4496: &vp->val_len);
Description: The specification of asn_parse_string() describes that an
error occurs if asn_parse_string() returns 0. However, the output of
asn_parse_string() is not checked in the above code..
# 4 (81)
File Name: /agent/mibgroup/target/snmpTargetParamsEntry.c
Function Nam: snmpTargetParams_createNewRow()
1224: if (pNameLen > 0) {
1225: temp_struct = snmpTargetParamTable_create();
// if (temp_struct == NULL) return;
1236: update_timestamp(temp_struct);
File Name: /agent/mibgroup/target/snmpTargetParamsEntry.c
Function Nam: snmpd_parse_config_targetParams()
507: newEntry = snmpTargetParamTable_create();
// if (newEntry == NULL) return;
552: update_timestamp(newEntry);
File Name: /agent/mibgroup/target/snmpTargetParamsEntry.c
Function Nam: snmpTargetParamTable_create()
47: snmpTargetParamTable_create(void)
51: newEntry = (struct targetParamTable_struct *)
52: malloc(sizeof(targetParamTable_struct))
// if (newEntry == NULL) return NULL;
64: return newEntry;
Description: We found a rule requiring that the input parameter of
update_timestamp() be non-NULL. In the above code, the inputs of
update_timestamp() are the outputs of snmpTargetParamTable_create(),
generated by malloc(). It may be better to check:
- whether the output of malloc() is NULL in
snmpTargetparamTable_create()
- whether the outputs of snmpTargetParamTable_create() are NULL
in snmpTargetParams_createNewRow() and snmpd_parse_config_targetParams
() .
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
