Add a test that would cause a use after free previously by sending a

protocol error-ed message and immediately followed up by a connection
close.

OK tb@

diff --git a/regress/usr.sbin/snmpd/Makefile b/regress/usr.sbin/snmpd/Makefile
index dfdb717..18f158c 100644 (file)
--- a/regress/usr.sbin/snmpd/Makefile
+++ b/regress/usr.sbin/snmpd/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.5 2023/10/24 14:34:40 martijn Exp $
+# $OpenBSD: Makefile,v 1.6 2023/10/27 10:26:20 martijn Exp $
 # Regress tests for snmpd
 
 PROG =                         snmpd_regress
@@ -51,6 +51,7 @@ AGENTX_TARGETS+=              agentx_ping_new_index
 AGENTX_TARGETS+=               agentx_ping_any_index
 AGENTX_TARGETS+=               agentx_ping_nbo_nnbo
 AGENTX_TARGETS+=               agentx_ping_nnbo_nbo
+AGENTX_TARGETS+=               agentx_ping_invalid_version_close
 AGENTX_TARGETS+=               agentx_close_notopen
 AGENTX_TARGETS+=               agentx_close_reasonother
 AGENTX_TARGETS+=               agentx_close_reasonparseerror

diff --git a/regress/usr.sbin/snmpd/agentx.c b/regress/usr.sbin/snmpd/agentx.c
index ade5dd8..a6e9c08 100644 (file)
--- a/regress/usr.sbin/snmpd/agentx.c
+++ b/regress/usr.sbin/snmpd/agentx.c
@@ -706,6 +706,45 @@ agentx_ping_nnbo_nbo(void)
        close(s);
 }
 
+/*
+ * Test that everything continues running in double exception condition
+ */
+void
+agentx_ping_invalid_version_close(void)
+{
+       struct sockaddr_storage ss;
+       struct message msg = {};
+       struct sockaddr *sa = (struct sockaddr *)&ss;
+       socklen_t salen;
+       int snmp_s, ax_s;
+       uint32_t sessionid, packetid;
+       struct varbind varbind = {
+               .type = TYPE_NULL,
+               .name = OID_STRUCT(MIB_SUBAGENT_PING, 10, 0),
+       };
+       int32_t requestid;
+       char buf[1024];
+       size_t n;
+
+       ax_s = agentx_connect(axsocket);
+       sessionid = agentx_open(ax_s, 0, 0,
+           OID_ARG(MIB_SUBAGENT_PING, 10), __func__);
+       message_add_header(&msg, 0xFF, AGENTX_PING_PDU, INSTANCE_REGISTRATION,
+           sessionid, 0, packetid);
+
+       agentx_write(ax_s, &msg);
+       close(ax_s);
+
+       salen = snmp_resolve(SOCK_DGRAM, hostname, servname, sa);
+       snmp_s = snmp_connect(SOCK_DGRAM, sa, salen);
+       requestid = snmpv2_get(snmp_s, community, 0, &varbind, 1);
+
+       varbind.type = TYPE_NOSUCHOBJECT;
+
+       snmpv2_response_validate(snmp_s, 1000, community, requestid, 0, 0,
+           &varbind, 1);
+}
+
 void
 agentx_close_notopen(void)
 {

diff --git a/regress/usr.sbin/snmpd/regress.h b/regress/usr.sbin/snmpd/regress.h
index ef49611..9e4c0fd 100644 (file)
--- a/regress/usr.sbin/snmpd/regress.h
+++ b/regress/usr.sbin/snmpd/regress.h
@@ -170,6 +170,7 @@ void agentx_ping_new_index(void);
 void agentx_ping_any_index(void);
 void agentx_ping_nbo_nnbo(void);
 void agentx_ping_nnbo_nbo(void);
+void agentx_ping_invalid_version_close(void);
 void agentx_close_notopen(void);
 void agentx_close_reasonother(void);
 void agentx_close_reasonparseerror(void);

diff --git a/regress/usr.sbin/snmpd/snmpd_regress.c b/regress/usr.sbin/snmpd/snmpd_regress.c
index a4decb6..bb2235e 100644 (file)
--- a/regress/usr.sbin/snmpd/snmpd_regress.c
+++ b/regress/usr.sbin/snmpd/snmpd_regress.c
@@ -36,6 +36,7 @@ const struct {
        { "agentx_ping_any_index", agentx_ping_any_index },
        { "agentx_ping_nbo_nnbo", agentx_ping_nbo_nnbo },
        { "agentx_ping_nnbo_nbo", agentx_ping_nnbo_nbo },
+       { "agentx_ping_invalid_version_close", agentx_ping_invalid_version_close },
        { "agentx_close_notopen", agentx_close_notopen },
        { "agentx_close_reasonother", agentx_close_reasonother },
        { "agentx_close_reasonparseerror", agentx_close_reasonparseerror },