[ECOS] SNMP GETBULK leaks 50k per request -- security issue

Tad ecos_removethispart@ds3switch.com
Tue Jun 26 11:14:00 GMT 2007

A GETBULK request requiring > 8k bytes in the response 
(snmp_api.c:PACKET_LENGTH or sendto max)
forgets to free the 50k pdu malloc'ed.

Should be able to crash any ecos snmp system with a couple:
bulkget -Cr50 -v 2c -c public system system system system 
system icmp system icmp
which will eat 5 retries x50k at a time

Basically, the snmp_agent.c we're using is POS full of memory leaks if 
snmp_send or other errors occur.

I grabbed the latest v4.2 branch from SF of snmp_agent.c, snmp_agent.h, 
and snmp_api.h which seem to compile for ecos with virtually no changes 
(used the ECOS includes for snmp_agent.c)

The latest snmp_agent.c seems to do a nice job of cleaning up memory and 
has a slightly faster SET operation.

et. al.

Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

More information about the Ecos-discuss mailing list