SIGSEGV: not enough space or error in allocation for extenstion

[minfrin]

When configuring snmpd to read a certificate that has been put in place via a symbolic link, snmpd crashes as follows:

[root@localhost tls]# systemctl status snmpd.service
● snmpd.service - Simple Network Management Protocol (SNMP) Daemon.
   Loaded: loaded (/usr/lib/systemd/system/snmpd.service; disabled; vendor preset: disabled)
   Active: failed (Result: core-dump) since Wed 2020-12-16 21:21:59 SAST; 16min ago
  Process: 53269 ExecStart=/usr/sbin/snmpd $OPTIONS -f (code=dumped, signal=SEGV)
 Main PID: 53269 (code=dumped, signal=SEGV)

Dec 16 21:21:57 localhost systemd[1]: Starting Simple Network Management Protocol (SNMP) Daemon....
Dec 16 21:21:58 localhost snmpd[53269]: refusing to read world readable or writable key /etc/snmp/tls/certs/snmpd.crt
Dec 16 21:21:58 localhost snmpd[53269]: not enough space or error in allocation for extenstion
Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Main process exited, code=dumped, status=11/SEGV
Dec 16 21:21:59 localhost systemd[1]: snmpd.service: Failed with result 'core-dump'.
Dec 16 21:21:59 localhost systemd[1]: Failed to start Simple Network Management Protocol (SNMP) Daemon..

Working backwards from the last (misspelled - "extension") error message:

https://github.com/haad/net-snmp/blob/c629882ba31aaf27c859de2d47a6401849661ccd/snmplib/snmp_openssl.c#L222

We return NULL from _cert_get_extension().

Searching for cases where we call _cert_get_extension() but don't handle a NULL result:

net-snmp/snmplib/snmp_openssl.c

Line 502 in f7ceedb

lf = strchr(str, '\n'); /* look for multiline strings */

[bvanassche]

Please retest with the latest version of either the v5.9 branch or the master branch.

[minfrin]

This problem was tested on v5.9 and exists in the v5.9 and master branch.

Please don't close issues until they have been properly investigated. I've pointed out the line of the code where the problem lies, github makes it trivial to see this problem on various branches.

I have a patch that avoids the crash, I have to mess about with forks before I can submit it. You'll see that shortly.

[bvanassche]

Reopened. This issue was closed automatically by github since I used the "Fixes:" tag in a commit description.

[minfrin]

No worries, github is being too clever for its own good.

[minfrin]

Bug at Redhat: https://bugzilla.redhat.com/show_bug.cgi?id=1908718

[paride]

Hi, IIUC this is fixed in both the master and V5-9-patches branches (bb30f8e), and this issue is still open waiting for confirmation that the fix actually works, correct?

[minfrin]

Hi, IIUC this is fixed in both the master and V5-9-patches branches (bb30f8e), and this issue is still open waiting for confirmation that the fix actually works, correct?

Not correct, no.

Two fixes were developed at the same time, and clashed. The first fix to the segfault only auto-closed this ticket (thanks github) and the ticket was reopened. The second fix also fixed the buffer-too-small that triggered the error path that caused the crash.

All outstanding PRs have been committed, this ticket can be closed.

[paride]

@minfrin thanks for clarifying, I see that the second fix (bb30f8e, your fix) landed, but doesn't have a Fixes: ... in the commit message. As you opened this issue you can also close it I think.