1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
From d16c24542b2f96a194d43a73c2e5778822b9cb47 Mon Sep 17 00:00:00 2001
From: Pavel Rochnyack <pavel2000@ngs.ru>
Date: Wed, 31 May 2017 23:27:13 +0700
Subject: [PATCH] snmp plugin: Fix double free of request PDU
snmp_sess_synch_response() always frees request PDU, in both case of request
error and success. If error condition occurs inside of `while (status == 0)`
loop, double free of `req` happens.
Issue: #2291
Signed-off-by: Florian Forster <octo@collectd.org>
---
src/snmp.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/src/snmp.c b/src/snmp.c
index 287f44b4e9..6e26ad59da 100644
--- a/src/snmp.c
+++ b/src/snmp.c
@@ -1357,11 +1357,13 @@ static int csnmp_read_table(host_definition_t *host, data_definition_t *data) {
if (oid_list_todo_num == 0) {
/* The request is still empty - so we are finished */
DEBUG("snmp plugin: all variables have left their subtree");
+ snmp_free_pdu(req);
status = 0;
break;
}
res = NULL;
+ /* snmp_sess_synch_response always frees our req PDU */
status = snmp_sess_synch_response(host->sess_handle, req, &res);
if ((status != STAT_SUCCESS) || (res == NULL)) {
char *errstr = NULL;
@@ -1376,8 +1378,6 @@ static int csnmp_read_table(host_definition_t *host, data_definition_t *data) {
snmp_free_pdu(res);
res = NULL;
- /* snmp_synch_response already freed our PDU */
- req = NULL;
sfree(errstr);
csnmp_host_close_session(host);
@@ -1492,9 +1492,6 @@ static int csnmp_read_table(host_definition_t *host, data_definition_t *data) {
snmp_free_pdu(res);
res = NULL;
- if (req != NULL)
- snmp_free_pdu(req);
- req = NULL;
if (status == 0)
csnmp_dispatch_table(host, data, instance_list_head, value_list_head);
|
