The snmp_community ACL check segfaulted if Squid failed to parse

the SNMP query. We might want to backport this to 2.3, and release
it as a patch as this can be used to DOS anyone with SNMP enabled
and using the snmp_community ACL.

A workaround is to base access controls purely on the source address
instead of using a community.

diff --git a/src/snmp_core.cc b/src/snmp_core.cc
index efc02e6a25629e7a0158cc722a4fac794a957c1b..8d34164276eff7f257dceea5021889d693d67c28 100644 (file)
--- a/src/snmp_core.cc
+++ b/src/snmp_core.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: snmp_core.cc,v 1.44 2000/06/27 22:06:04 hno Exp $
+ * $Id: snmp_core.cc,v 1.45 2000/08/13 21:18:09 hno Exp $
  *
  * DEBUG: section 49    SNMP support
  * AUTHOR: Glenn Chisholm
@@ -512,7 +512,8 @@ snmpDecodePacket(snmp_request_t * rq)
     checklist.src_addr = rq->from.sin_addr;
     checklist.snmp_community = (char *) Community;
 
-    allow = aclCheckFast(Config.accessList.snmp, &checklist);
+    if (Community)
+       allow = aclCheckFast(Config.accessList.snmp, &checklist);
     if ((snmp_coexist_V2toV1(PDU)) && (Community) && (allow)) {
        rq->community = Community;
        rq->PDU = PDU;