On Mon, Aug 8, 2011 at 1:23 PM, Duy Doan Khuong <[email protected]> wrote:
> Hi all,
>
> I found some potential crash with net-snmp library, it causes the crash on
> my test system. I'm using version
>
> Take a look at the net-snmp-lib\snmplib\mib.c file, at the
> netsnmp_mibindex_lookup() function.
>
> Here is stack:
> netsnmp_mibindex_lookup()
> netsnmp_mibindex_new()
> add_mibdir()
> netsnmp_init_mib()
> init_snmp()
>
>
> in the netsnmp_mibindex_lookup():
> char *
> netsnmp_mibindex_lookup( const char *dirname )
> {
> int i;
> static char tmpbuf[300];
>
> for (i=0; i<_mibindex; i++) {
> if ( _mibindexes[i] && // crash here
> strcmp( _mibindexes[i], dirname ) == 0) {
> snprintf(tmpbuf, sizeof(tmpbuf), "%s/mib_indexes/%d",
> get_persistent_directory(), i);
> tmpbuf[sizeof(tmpbuf)-1] = 0;
> DEBUGMSGTL(("mibindex", "lookup: %s (%d) %s\n", dirname, i,
> tmpbuf ));
> return tmpbuf;
> }
> }
> DEBUGMSGTL(("mibindex", "lookup: (none)\n"));
> return NULL;
> }
>
> The root cause is mibindexes variable, it is declared as char **_mibindexes
> = NULL;
> _mibindexes is allocated in _mibindex_add when necessary. But
> netsnmp_mibindex_lookup accessed _mibindexes without checking it NULL or
> not.
>
> In netsnmp_mibindex_new, the logic is as follow:
>
> + Call netsnmp_mibindex_lookup to check if the mib exists.
> + If not then call _mibindex_add to add it.
>
> So, netsnmp_mibindex_lookup should not assume _mibindexes is already has
> mib
> in there.
>
If _mibindexes is NULL, _mibindex will be zero and hence the loop won't be
entered. But there is an issue with potentially uninitialized array
elements. Does the patch below help ?
diff --git a/snmplib/mib.c b/snmplib/mib.c
index 7fb7986..7c8af9c 100644
--- a/snmplib/mib.c
+++ b/snmplib/mib.c
@@ -2837,6 +2837,8 @@ netsnmp_mibindex_lookup( const char *dirname )
int
_mibindex_add( const char *dirname, int i )
{
+ const int old_mibindex = _mibindex;
+
DEBUGMSGTL(("mibindex", "add: %s (%d)\n", dirname, i ));
if ( i == -1 )
i = _mibindex++;
@@ -2845,9 +2847,12 @@ _mibindex_add( const char *dirname, int i )
* If the index array is full (or non-existent)
* then expand (or create) it
*/
- _mibindexes = realloc(_mibindexes, (i + 10) * sizeof(char*));
- netsnmp_assert(_mibindexes);
_mibindex_max = i + 10;
+ _mibindexes = realloc(_mibindexes,
+ _mibindex_max * sizeof(_mibindexes[0]));
+ netsnmp_assert(_mibindexes);
+ memset(_mibindexes + old_mibindex, 0,
+ (i - old_mibindex) * sizeof(_mibindexes[0]));
}
DEBUGMSGTL(("mibindex", "add: %d/%d/%d\n", i, _mibindex, _mibindex_max
));
------------------------------------------------------------------------------
BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts.
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
