Skip to content
Permalink
Browse files Browse the repository at this point in the history
snmp plugin: Fix double free of request PDU
snmp_sess_synch_response() always frees request PDU, in both case of request
error and success. If error condition occurs inside of `while (status == 0)`
loop, double free of `req` happens.

Issue: #2291
Signed-off-by: Florian Forster <octo@collectd.org>
  • Loading branch information
Pavel Rochnyack authored and octo committed Sep 27, 2017
1 parent 6c082e9 commit d16c245
Showing 1 changed file with 2 additions and 5 deletions.
7 changes: 2 additions & 5 deletions src/snmp.c
Expand Up @@ -1357,11 +1357,13 @@ static int csnmp_read_table(host_definition_t *host, data_definition_t *data) {
if (oid_list_todo_num == 0) {
/* The request is still empty - so we are finished */
DEBUG("snmp plugin: all variables have left their subtree");
snmp_free_pdu(req);
status = 0;
break;
}

res = NULL;
/* snmp_sess_synch_response always frees our req PDU */
status = snmp_sess_synch_response(host->sess_handle, req, &res);
if ((status != STAT_SUCCESS) || (res == NULL)) {
char *errstr = NULL;
Expand All @@ -1376,8 +1378,6 @@ static int csnmp_read_table(host_definition_t *host, data_definition_t *data) {
snmp_free_pdu(res);
res = NULL;

/* snmp_synch_response already freed our PDU */
req = NULL;
sfree(errstr);
csnmp_host_close_session(host);

Expand Down Expand Up @@ -1492,9 +1492,6 @@ static int csnmp_read_table(host_definition_t *host, data_definition_t *data) {
snmp_free_pdu(res);
res = NULL;

if (req != NULL)
snmp_free_pdu(req);
req = NULL;

if (status == 0)
csnmp_dispatch_table(host, data, instance_list_head, value_list_head);
Expand Down

0 comments on commit d16c245

Please sign in to comment.