[ECOS] Re: SNMP GETBULK leaks 50k per request -- security issue
Fri Jun 29 10:04:00 GMT 2007
If patched, snmp_api.c also needs 3 changes shown in SF tree. 2 points
initialize ->data = 0 and snmp_free_var() free's if data != 0.
> ...when snmp_send() fails.
> Tad wrote:
>> A GETBULK request requiring > 8k bytes in the response
>> (snmp_api.c:PACKET_LENGTH or sendto max)
>> forgets to free the 50k pdu malloc'ed.
>> Should be able to crash any ecos snmp system with a couple:
>> bulkget -Cr50 -v 2c -c public 192.168.1.199 system system system
>> system system icmp system icmp
>> which will eat 5 retries x50k at a time
>> Basically, the snmp_agent.c we're using is POS full of memory leaks
>> if snmp_send or other errors occur.
>> I grabbed the latest v4.2 branch from SF of snmp_agent.c,
>> snmp_agent.h, and snmp_api.h which seem to compile for ecos with
>> virtually no changes (used the ECOS includes for snmp_agent.c)
>> The latest snmp_agent.c seems to do a nice job of cleaning up memory
>> and has a slightly faster SET operation.
>> et. al.
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss
More information about the Ecos-discuss