Re: pkg/49860: DoS against snmpd on netbsd routers

[christos%zoulas.com@localhost (Christos Zoulas)]

On May 2, 11:01pm, 6bone%6bone.informatik.uni-leipzig.de@localhost (6bone%6bone.informatik.uni-leipzig.de@localhost) wrote:
-- Subject: Re: pkg/49860: DoS against snmpd on netbsd routers

| On Tue, 28 Apr 2015, Christos Zoulas wrote:
| 
| > Looks like that qsort is deadly... I wonder why it thinks it needs to
| > sort something all the time. The arp stuff looks suspect as expected.
| > (if it is related to ndp). I am not sure if I have time to optimize the
| > code, but using a hashmap instead of sorting seems to be a good thing
| > to do.
| >
| 
| Yet another information. In normal operation 'ndp -an | wc -l' reports 
| nearly 1500 entries.
| 
| During the attack ndp reports:
| 
| ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
| ndp: failed to get neighbor information
| ndp: ioctl(SIOCGNBRINFO_IN6): Invalid argument
| ndp: failed to get neighbor information
| ...
| 
| Could that be a problem for the snmpd?

I suspect that the error handling and processing on snmpd is flawed.
Really, I should fix it... But I find the code ugly, so I don't like
working on it.

This comes from here: 
                if ((error = in6_setscope(&nb_addr, ifp, NULL)) != 0)
                        return error;

                s = splsoftnet();
                if ((rt = nd6_lookup(&nb_addr, 0, ifp)) == NULL ||
                    (ln = (struct llinfo_nd6 *)rt->rt_llinfo) == NULL) {
                        error = EINVAL;
                        splx(s);
                        break;
                }

Perhaps you can add some debugging code there and print some things?

christos