Re: pkg/49860: DoS against snmpd on netbsd routers

To: 6bone%6bone.informatik.uni-leipzig.de@localhost, gnats-bugs%NetBSD.org@localhost
Subject: Re: pkg/49860: DoS against snmpd on netbsd routers
From: christos%zoulas.com@localhost (Christos Zoulas)
Date: Mon, 27 Apr 2015 10:45:59 -0400

On Apr 27,  3:16pm, 6bone%6bone.informatik.uni-leipzig.de@localhost (6bone%6bone.informatik.uni-leipzig.de@localhost) wrote:
-- Subject: Re: pkg/49860: DoS against snmpd on netbsd routers

| On Sun, 26 Apr 2015, Joerg Sonnenberger wrote:
| 
| > Can you ktrace it to see what it is doing? Does sockstat work fine? The
| > problem with net-snmp is that it is extremely messy code and quite a few
| > things are using kmem when they don't have to, so it is easy to hit race
| > conditions and the like.
| 
| I've never worked with ktrace. I have tested ktruss -p <pid snmpd>
| 
| The output at 100% CPU was as follows:
| 
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| ....
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
| = 0x7f7feeb00000
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| ...
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
| = 0x7f7fee300000
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| ...
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
| = 0x7f7fee200000
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| ...
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    mmap(0, 0x100000, 0x3, 0x14001002, 0xffffffff, 0, 0) 
| = 0x7f7fedf00000
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| 10754      1 snmpd    __clock_gettime50(0x3, 0x7f7fffffd930) = 0
| ...
| 
| Does that help?

Not very much, it seems to keep allocating memory... So perhaps gdb the
process, break in malloc, and print a backtrace?

$ gdb /path/to/snmpd pid-of-snmp-d
(gdb) break malloc
(gdb) continue
(gdb) where
(gdb) quit
[hopefully it [snmpd] did not die, but it could...]

christos

Follow-Ups:
- Re: pkg/49860: DoS against snmpd on netbsd routers
  - From: 6bone

References:
- Re: pkg/49860: DoS against snmpd on netbsd routers
  - From: 6bone

Prev by Date: Re: pkg/49860: DoS against snmpd on netbsd routers
Next by Date: Re: pkg/49860: DoS against snmpd on netbsd routers
Previous by Thread: Re: pkg/49860: DoS against snmpd on netbsd routers
Next by Thread: Re: pkg/49860: DoS against snmpd on netbsd routers
Indexes:

Home | Main Index | Thread Index | Old Index