[lwip-devel] [bug #39355] SNMP Memory Leak

lwip-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[lwip-devel] [bug #39355] SNMP Memory Leak

From:	Fatih Aşıcı
Subject:	[lwip-devel] [bug #39355] SNMP Memory Leak
Date:	Sat, 29 Jun 2013 17:11:20 +0000
User-agent:	Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/28.0.1500.52 Chrome/28.0.1500.52 Safari/537.36

Follow-up Comment #2, bug #39355 (project lwip):

The problem is in the following code in snmp_error_response():

  /* move names back from outvb to invb */
  int v;
  struct snmp_varbind *vbi = msg_ps->invb.head;
  struct snmp_varbind *vbo = msg_ps->outvb.head;
  for (v=0; v<msg_ps->vb_idx; v++) {
    vbi->ident_len = vbo->ident_len;
    vbo->ident_len = 0;
    vbi->ident = vbo->ident;
    vbo->ident = NULL;
    vbi = vbi->next;
    vbo = vbo->next;
  }

snmp_msg_get_event() moves the names (ident fields) from the input
variable bindings to output variable bindings since they are same
for GET requests. In case of an error, it tries to send a response
identical to the request. The only differences are the error status
and error index values. This is the reason why the lines above move
the names back. So, overriding vbi->ident does not cause a memleak
since it does not point to a buffer.

But for GETNEXT and SET requests the situation is different.
snmp_msg_getnext_event() and snmp_msg_set_event() do not move the
names from input to output. Instead, they allocate a new memory area
for output variable bindings. This means ident fields are of input
variable bindings are NOT stale and they must be free'd. If everything
goes well, snmp_ok_response() releases them via snmp_varbind_list_free().
But, in case of an error, these functions also call snmp_error_response()
and ident fields of input variable bindings are overriden by output
variable bindings'. This problem does not occur if the error index is
zero (does not step into 'for' loop because msg_ps->vb_idx == 0).

My patch solves this problem by free'ing vbi->ident if it is not NULL.
Another solution would be to move the "rewind" code from
snmp_error_response()
into snmp_msg_get_event() since it is specific to there.


    _______________________________________________________

Reply to this item at:

  <http://savannah.nongnu.org/bugs/?39355>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.nongnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[lwip-devel] [bug #39355] SNMP Memory Leak, Fatih Aşıcı, 2013/06/28
- [lwip-devel] [bug #39355] SNMP Memory Leak, Simon Goldschmidt, 2013/06/28
  - [lwip-devel] [bug #39355] SNMP Memory Leak, Fatih Aşıcı <=

Prev by Date: [lwip-devel] [bug #38210] ip reassembly while remove oldest datagram
Next by Date: [lwip-devel] [task #12600] struct in6_addr error
Previous by thread: [lwip-devel] [bug #39355] SNMP Memory Leak
Next by thread: [lwip-devel] [bug #39356] Wrong increment in pbuf_memfind()
Index(es):
- Date
- Thread