Skip Menu |

This queue is for tickets about the Net-SNMP CPAN distribution.

Report information
The Basics
Id: 104863
Status: new
Priority: 0/
Queue: Net-SNMP

People
Owner: dtown [...] cpan.org
Requestors: janl [...] langfeldt.net
Cc:
AdminCc:

Bug Information
Severity: Important
Broken in: v6.0.1
Fixed in: (no value)



Subject: Buffer overflow condition - unneeded buffer restrictions
Hi, I've been using Net::SNMP for many years (10 by now I think) for various things without issue. Working on a performance monitoring system at a ISP I ran into a issue where Net::SNMP asks for IF-MIB::ifAlias from a P (=provider or core) router. The P and PE (provider edge) routers have a MTU of 9000 bytes set on all interfaces to facilitate different kinds of services for clients without running into MTU issues (e.g. ethernet with QinQinQ where one or two levels of Q is added in our network transparently for the client). The servers run a standard MTU of 1500 bytes. I was able to reproduce the problem using the example program at http://cpansearch.perl.org/src/DTOWN/Net-SNMP-v6.0.1/examples/snmpwalk.pl It runs like this: $ ~/snmpwalk.pl -c <COMMUNITY> -v 2c 193.75.0.79 1.3.6.1.2.1.31.1.1.1.18 ... 1.3.6.1.2.1.31.1.1.1.18.956 = OCTET STRING: TO: cr2.oslosda310 ID: local TXT: GigabitEthernet1/0/12 snmpwalk: The message size exceeded the buffer maxMsgSize of 1472. The tcpdump contains a lot of properitary information about our network and customers from the description field of the router interfaces so cannot not submit it (I tried to redact, but i managed to corrupt it in the process). The tcpdump shows that "max-repetitions" is 25. And that the last response from the router was a >1500 byte packet that was fragmented on the way. The first fragment is 1514 ethernet bytes, and the second is 60 bytes. This gives a ASN.1 payload in excess of 1472 bytes which is larger than the buffer used by Net::SNMP and this breaks Net::SNMP (it seems that tcpdump says that the payload is 1478 bytes long). Assuming a MTU sized packet when calculating maxrepetitions is entirely sane. But being gracefull about what we receive I think Net::SNMP needs to handle all the bytes in a return packet, even though it's larger than the maxmsgsize. Unfortunately I've been unable to write a patch to Net::SNMP::Message and related code, so in the mean time I've worked arond with maxrepetitions. Thanks Nicolai