Package: snmpd Version: 5.2.1.2-4 Severity: important
When receiving some SNMP traps, snmptrapd on amd64 crashes (the same traps do not crash on a 32-bit OS). I have tested this on version 5.1.2 (stable) and 5.2.1 (testing, compiled from the debian source). I can provide a packet capture of a "bad" trap, and a "good" trap that I've been using for testing reproducibility of the problem if that would help. Error from 5.1.2: Dec 27 19:58:06 localhost snmpd[11631]: NET-SNMP version 5.1.2 Dec 27 19:58:07 localhost snmptrapd[11634]: 2005-12-27 19:58:07 NET-SNMP version 5.1.2 Started. Dec 27 19:58:27 localhost kernel: snmptrapd[11634]: segfault at 0000000000000014 rip 00002aaaab6c8be0 rsp 00007fffffcdf688 error 4 Error from 5.2.1: Dec 27 20:40:26 localhost snmptrapd[12023]: 2005-12-27 20:40:26 NET-SNMP version 5.2.1.2 Started. Dec 27 20:40:26 localhost snmpd[12021]: NET-SNMP version 5.2.1.2 Dec 27 20:40:36 localhost kernel: snmptrapd[12023] general protection rip:2aaaab887be0 rsp:7fffff9e3588 error:0 Example of "bad" trap (as written to syslog, true source is McAfee's ePolicy Orchestrator "test" trap): Dec 27 19:46:23 tonto snmptrapd[5061]: 2005-12-27 19:46:23 testbox [192.168.168.60] (via 192.168.168.243) TRAP, SNMP v1, community public ^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.337 Enterprise Specific Trap (1) Uptime: 162 days, 15:23:01.38 ^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.9.337 = STRING: "Test"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.11.337 = STRING: "Directory"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.12.337 = STRING: "Directory"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.18.337 = STRING: "Any"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.19.337 = STRING: "Any"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.33.337 = STRING: "(Any)"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.15.337 = STRING: "12/22/05 10:36:24 AM"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.31.337 = STRING: "Not Available"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.32.337 = STRING: "Not Available"^ISNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.16.337 = STRING: "0"^ISNMPv2-SMI::enterprises.340 Example of "safe" trap (as written by snmptrapfmt, don't have the original syslog unfortunately, true source is a Websense server): 20051221.133044#192.168.168.62#(null)#6#4102#8818800#[1] SNMPv2-SMI::enterprises.23365.4102.1 (OctetString) : Date: 12/21/2005 1:33:28 PM.Type: Warning.Source: CPM Server..Websense CPM Alert: Malicious Software Application Launched..Client Machine Name: TEST-150XP.Client IP Address: 192.168.168.42.Domain: TEST..The application A:\\PATCH.EXE, categorized as a Malicious Software application by Client Policy Manager, has been launched on the machine identified above. This presents a potential threat to your network. To block this executable, an appropriate rule must be properly placed in the CPM rule base...For complete instructions on creating and positioning rules, refer to the Websense Enterprise Client Policy Manager Administrator's Guide, available from http://www.websense.com/global/en/SupportAndKB/ProductDocumentation.#[2] SNMP-COMMUNITY-MIB::snmpTrapAddress.0 (OctetString) : 10.10.10.1#[3] SNMP-COMMUNITY-MIB::snmpTrapCommunity.0 (OctetString) : public Websense seems to only send one field along, while the ePO test sent many, but I haven't been able to test and see if other numbers of fields cause problems. I can provide more information as necessary. -- System Information: Debian Release: 3.1 Architecture: amd64 (x86_64) Kernel: Linux 2.6.12-42-em64t-p4-smp Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages snmpd depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libsensors3 1:2.9.1-1sarge2 library to read temperature/voltag ii libsnmp9 5.2.1.2-4 NET SNMP (Simple Network Managemen ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

