From: martijn Date: Fri, 27 Oct 2023 10:26:20 +0000 (+0000) Subject: Add a test that would cause a use after free previously by sending a X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=e024f79d1742353cf5680106c4fbd19da1b0b060;p=openbsd Add a test that would cause a use after free previously by sending a protocol error-ed message and immediately followed up by a connection close. OK tb@ --- diff --git a/regress/usr.sbin/snmpd/Makefile b/regress/usr.sbin/snmpd/Makefile index dfdb717d78c..18f158c627d 100644 --- a/regress/usr.sbin/snmpd/Makefile +++ b/regress/usr.sbin/snmpd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.5 2023/10/24 14:34:40 martijn Exp $ +# $OpenBSD: Makefile,v 1.6 2023/10/27 10:26:20 martijn Exp $ # Regress tests for snmpd PROG = snmpd_regress @@ -51,6 +51,7 @@ AGENTX_TARGETS+= agentx_ping_new_index AGENTX_TARGETS+= agentx_ping_any_index AGENTX_TARGETS+= agentx_ping_nbo_nnbo AGENTX_TARGETS+= agentx_ping_nnbo_nbo +AGENTX_TARGETS+= agentx_ping_invalid_version_close AGENTX_TARGETS+= agentx_close_notopen AGENTX_TARGETS+= agentx_close_reasonother AGENTX_TARGETS+= agentx_close_reasonparseerror diff --git a/regress/usr.sbin/snmpd/agentx.c b/regress/usr.sbin/snmpd/agentx.c index ade5dd814e5..a6e9c08489c 100644 --- a/regress/usr.sbin/snmpd/agentx.c +++ b/regress/usr.sbin/snmpd/agentx.c @@ -706,6 +706,45 @@ agentx_ping_nnbo_nbo(void) close(s); } +/* + * Test that everything continues running in double exception condition + */ +void +agentx_ping_invalid_version_close(void) +{ + struct sockaddr_storage ss; + struct message msg = {}; + struct sockaddr *sa = (struct sockaddr *)&ss; + socklen_t salen; + int snmp_s, ax_s; + uint32_t sessionid, packetid; + struct varbind varbind = { + .type = TYPE_NULL, + .name = OID_STRUCT(MIB_SUBAGENT_PING, 10, 0), + }; + int32_t requestid; + char buf[1024]; + size_t n; + + ax_s = agentx_connect(axsocket); + sessionid = agentx_open(ax_s, 0, 0, + OID_ARG(MIB_SUBAGENT_PING, 10), __func__); + message_add_header(&msg, 0xFF, AGENTX_PING_PDU, INSTANCE_REGISTRATION, + sessionid, 0, packetid); + + agentx_write(ax_s, &msg); + close(ax_s); + + salen = snmp_resolve(SOCK_DGRAM, hostname, servname, sa); + snmp_s = snmp_connect(SOCK_DGRAM, sa, salen); + requestid = snmpv2_get(snmp_s, community, 0, &varbind, 1); + + varbind.type = TYPE_NOSUCHOBJECT; + + snmpv2_response_validate(snmp_s, 1000, community, requestid, 0, 0, + &varbind, 1); +} + void agentx_close_notopen(void) { diff --git a/regress/usr.sbin/snmpd/regress.h b/regress/usr.sbin/snmpd/regress.h index ef496112708..9e4c0fda540 100644 --- a/regress/usr.sbin/snmpd/regress.h +++ b/regress/usr.sbin/snmpd/regress.h @@ -170,6 +170,7 @@ void agentx_ping_new_index(void); void agentx_ping_any_index(void); void agentx_ping_nbo_nnbo(void); void agentx_ping_nnbo_nbo(void); +void agentx_ping_invalid_version_close(void); void agentx_close_notopen(void); void agentx_close_reasonother(void); void agentx_close_reasonparseerror(void); diff --git a/regress/usr.sbin/snmpd/snmpd_regress.c b/regress/usr.sbin/snmpd/snmpd_regress.c index a4decb6480f..bb2235ee837 100644 --- a/regress/usr.sbin/snmpd/snmpd_regress.c +++ b/regress/usr.sbin/snmpd/snmpd_regress.c @@ -36,6 +36,7 @@ const struct { { "agentx_ping_any_index", agentx_ping_any_index }, { "agentx_ping_nbo_nnbo", agentx_ping_nbo_nnbo }, { "agentx_ping_nnbo_nbo", agentx_ping_nnbo_nbo }, + { "agentx_ping_invalid_version_close", agentx_ping_invalid_version_close }, { "agentx_close_notopen", agentx_close_notopen }, { "agentx_close_reasonother", agentx_close_reasonother }, { "agentx_close_reasonparseerror", agentx_close_reasonparseerror },