Package: snmpd
Version: 5.2.1.2-4
Severity: important

When receiving some SNMP traps, snmptrapd on amd64 crashes (the same 
traps do not crash on a 32-bit OS). I have tested this on version 
5.1.2 (stable) and 5.2.1 (testing, compiled from the debian source). 
I can provide a packet capture of a "bad" trap, and a "good" trap that
I've been using for testing reproducibility of the problem if that would
help.

Error from 5.1.2:

Dec 27 19:58:06 localhost snmpd[11631]: NET-SNMP version 5.1.2
Dec 27 19:58:07 localhost snmptrapd[11634]: 2005-12-27 19:58:07 NET-SNMP 
version 5.1.2 Started.
Dec 27 19:58:27 localhost kernel: snmptrapd[11634]: segfault at 
0000000000000014 rip 00002aaaab6c8be0 rsp 00007fffffcdf688 error 4

Error from 5.2.1:

Dec 27 20:40:26 localhost snmptrapd[12023]: 2005-12-27 20:40:26 NET-SNMP 
version 5.2.1.2 Started.
Dec 27 20:40:26 localhost snmpd[12021]: NET-SNMP version 5.2.1.2
Dec 27 20:40:36 localhost kernel: snmptrapd[12023] general protection 
rip:2aaaab887be0 rsp:7fffff9e3588 error:0

Example of "bad" trap (as written to syslog, true source is McAfee's ePolicy
Orchestrator "test" trap):

Dec 27 19:46:23 tonto snmptrapd[5061]: 2005-12-27 19:46:23
testbox [192.168.168.60] (via 192.168.168.243) TRAP,
SNMP v1, community public
^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.337 Enterprise Specific
Trap (1) Uptime: 162 days, 15:23:01.38
^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.9.337 = STRING:
"Test"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.11.337 = STRING:
"Directory"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.12.337 =
STRING: "Directory"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.18.337
= STRING: "Any"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.19.337 =
STRING: "Any"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.33.337 =
STRING: "(Any)"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.15.337 =
STRING: "12/22/05 10:36:24
AM"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.31.337 = STRING: "Not
Available"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.32.337 = STRING:
"Not Available"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.16.337 =
STRING: "0"^ISNMPv2-SMI::enterprises.340

Example of "safe" trap (as written by snmptrapfmt, don't have the
original syslog unfortunately, true source is a Websense server):

20051221.133044#192.168.168.62#(null)#6#4102#8818800#[1]
SNMPv2-SMI::enterprises.23365.4102.1 (OctetString) : Date: 12/21/2005
1:33:28 PM.Type: Warning.Source: CPM Server..Websense CPM Alert:
Malicious Software Application Launched..Client Machine Name:
TEST-150XP.Client IP Address: 192.168.168.42.Domain: TEST..The
application A:\\PATCH.EXE, categorized as a Malicious Software
application by Client Policy Manager, has been launched on the machine
identified above. This presents a potential threat to your network.  To
block this executable, an appropriate rule must be properly placed in
the CPM rule base...For complete instructions on creating and
positioning rules, refer to the Websense Enterprise Client Policy
Manager Administrator's Guide, available from
http://www.websense.com/global/en/SupportAndKB/ProductDocumentation.#[2]
SNMP-COMMUNITY-MIB::snmpTrapAddress.0 (OctetString) : 10.10.10.1#[3]
SNMP-COMMUNITY-MIB::snmpTrapCommunity.0 (OctetString) : public

Websense seems to only send one field along, while the ePO test sent
many, but I haven't been able to test and see if other numbers of fields 
cause problems. 

I can provide more information as necessary. 

-- System Information:
Debian Release: 3.1
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.12-42-em64t-p4-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages snmpd depends on:
ii  libc6                    2.3.2.ds1-22    GNU C Library: Shared libraries an
ii  libsensors3              1:2.9.1-1sarge2 library to read temperature/voltag
ii  libsnmp9                 5.2.1.2-4       NET SNMP (Simple Network Managemen
ii  libwrap0                 7.6.dbs-8       Wietse Venema's TCP wrappers libra

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to