Ethereal-users: [Ethereal-users] Re: Question about [Malformed Packet: SNMP] in SNMP Get-Next-Re

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Wes Hardaker <wjhns36@xxxxxxxxxxxxx>
Date: Wed, 02 Feb 2005 09:13:42 -0800
>>>>> On Wed, 02 Feb 2005 21:40:06 +1100, Andrew Hood <ajhood@xxxxxxxxx> said:

Andrew> The bit Ethereal considers malformed is the last 3 bytes - 06 01 d0
Andrew> 06 - ASN.1 type OID
Andrew> 01 - encoded length is 1 byte
Andrew> d0 - the OID value

Andrew> d0 has the high bit set, meaning there should be more bytes to
Andrew> the subidentifier but the data has length 1, hence the packet
Andrew> is malformed.  In an SNMP process with less strict parsing
Andrew> this may produce a buffer overflow.

Actually, no.  The first two numbers of an OID (A.B) is actually the encoded
into the first byte using a value of A * 40 + B.  Thus what is
normally the first 2 numbers of most oids (1.3) is actually the first
byte in any OID as 43 = 0x2b.  d0 is then the OID 5.8.  Now, the only
thing I'm not positive about is if the high bit is allowed to be used
in this way or if it extends the first byte as well.  I'd have to go
look up a reference book to remember that.  If that's the case, that's
certainly the problem.

Note that in this case the manager is broken as well, because it's
sending the GETNEXT response back with the value still in place.  This
is actually illegal because it should be replacing the value with a
NULL (BER: 05 00) value instead.

Andrew> IF-MIB::ifSpeed is returning INTEGER and should be Gauge32 or
Andrew> Unsigned32.

column 22 is actually ifSpecific, not ifSpeed.  And it's value should
be an OID.

# snmptranslate -Ib -Td ifSpecific
IF-MIB::ifSpecific
ifSpecific OBJECT-TYPE
  -- FROM       IF-MIB, RFC1213-MIB
  SYNTAX        OBJECT IDENTIFIER
  MAX-ACCESS    read-only
  STATUS        deprecated
  DESCRIPTION   "A reference to MIB definitions specific to the particular
            media being used to realize the interface.  It is

            recommended that this value point to an instance of a MIB
            object in the media-specific MIB, i.e., that this object
            have the semantics associated with the InstancePointer
            textual convention defined in RFC 2579.  In fact, it is
            recommended that the media-specific MIB specify what value
            ifSpecific should/can take for values of ifType.  If no MIB
            definitions specific to the particular media are available,
            the value should be set to the OBJECT IDENTIFIER { 0 0 }."
::= { iso(1) org(3) dod(6) internet(1) mgmt(2) mib-2(1) interfaces(2) ifTable(2) ifEntry(1) 22 }

-- 
Wes Hardaker
Sparta