New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NULL Pointer Exception when handling pv6IpForwarding #475
Comments
|
This issue seems to be associated with CVE-2022-44793 . |
|
Hi all! |
|
The right check is more like since right now you can set an OCTET-STRING or on OBJECT IDENTIFIER or any other type and pass an unexpected value to |
|
@fenner, indeed, much better than just checking every level manually :). As for me, I'd prefer (if possible) to do the check here as well, as a second level protection (even though it might be rejected somewhere else, before reaching the ground...) By the way, I guess I see at least a few other places where this check might be useful (e.g., in handle_ipAddressSpinLock, handle_ipDefaultTTL...) - the same possible NULL-pointer access to the same field... |
|
@fenner, as a follow-up, little patch-tuning based on your suggestion: |
|
IMO NULL pointer checks when the input has been validated already result in less readable code. Where does it stop? Should you check that the requests input is not NULL, even though the API guarantees that it is not? |
|
Actually, all the |
|
@menglong2234, yeah, I noticed that too. However, I think, it should be done in a separate patch (if ever considered as a bug). |
Correct, that is why my proposal for a fix is to reject any SET with a NULL varbind - to protect all handlers in this file and others. I have started on this path and I thought I had something but it turns out it rejects all SET requests, so I will keep trying. |
|
Intuitively, the root cause is that |
|
My (now-working) proposal is at https://github.com/fenner/net-snmp/tree/set-null - V5-9-patches...fenner:net-snmp:set-null (I intend to squash the 3 commits to snmp_agent.c into one before committing for real) |
|
be80410 mentions this issue as well to be fixed. |
|
Hi all .. thanks for looking into this .. does anyone know if there is a planned port of this (and other) new features/bugfixes etc to the codebase available for download at https://sourceforge.net/projects/net-snmp/files/net-snmp? |
|
The SourceForge infrastructure is broken. If we try to push the latest
code to the SourceForge git repository, an error message appears.
Please download the Net-SNMP source code from
https://github.com/net-snmp/net-snmp/.
|
|
OK, thanks Bart, will do. Looks like the latest tag is still 5.9.3 (which would still have this issue, if I understand things correctly) .. is there a timeline for a tag for 5.10 (or whatever release will contain this fix)? |
|
Fixed by be80410 |
handle_ipv6IpForwarding()inagent/mibgroup/ip-mib/ip_scalars.cin Net-SNMP from 5.4.3 to latest(5.9.3) version has a NULL Pointer Exception bug that can be used by an unauthenticated attacker to remotely cause the instance to crash via a crafted UDP packet, resulting in Denial of Service. The PoC is here.After sending an SNMPSET packet with a varlist [1.3.6.1.2.1.4.25.0 , NULL], snmpd deamon handles the packet with
handle_ipv6IpForwarding(), in whichrequests->requestvb->val.integerreference the val pointer that is NULL. Then snmpd deamon crashes due to segmentation fault.The text was updated successfully, but these errors were encountered: