From b82bca7c994875362dcca338be53e2ce059e2819 Mon Sep 17 00:00:00 2001
From: goldsimon <goldsimon@gmx.de>
Date: Mon, 13 Aug 2012 21:38:30 +0200
Subject: [PATCH] fixed bug #36840 snmp_send_trap() NULL de-reference if traps
 configured but no interfaces available

---
 CHANGELOG               |  4 ++
 src/core/snmp/msg_out.c | 96 +++++++++++++++++++++--------------------
 2 files changed, 54 insertions(+), 46 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 197f1e04..ee04d033 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -80,6 +80,10 @@ HISTORY
 
  ++ Bugfixes:
 
+  2012-08-13: Simon Goldschmidt
+  * msg_out.c: fixed bug #36840 snmp_send_trap() NULL de-reference if traps
+    configured but no interfaces available
+
   2012-08-13: Simon Goldschmidt
   * dns.c: fixed bug #36899 DNS TTL 0 is cached for a long time
 
diff --git a/src/core/snmp/msg_out.c b/src/core/snmp/msg_out.c
index 485f076a..fc0807c5 100644
--- a/src/core/snmp/msg_out.c
+++ b/src/core/snmp/msg_out.c
@@ -217,6 +217,7 @@ snmp_send_trap(s8_t generic_trap, struct snmp_obj_id *eoid, s32_t specific_trap)
   ip_addr_t dst_ip;
   struct pbuf *p;
   u16_t i,tot_len;
+  err_t err = ERR_OK;
 
   for (i=0, td = &trap_dst[0]; i<SNMP_TRAP_DESTINATIONS; i++, td++)
   {
@@ -226,55 +227,58 @@ snmp_send_trap(s8_t generic_trap, struct snmp_obj_id *eoid, s32_t specific_trap)
       ip_addr_copy(trap_msg.dip, td->dip);
       /* lookup current source address for this dst */
       dst_if = ip_route(&td->dip);
-      ip_addr_copy(dst_ip, dst_if->ip_addr);
-      /* @todo: what about IPv6? */
-      trap_msg.sip_raw[0] = ip4_addr1(&dst_ip);
-      trap_msg.sip_raw[1] = ip4_addr2(&dst_ip);
-      trap_msg.sip_raw[2] = ip4_addr3(&dst_ip);
-      trap_msg.sip_raw[3] = ip4_addr4(&dst_ip);
-      trap_msg.gen_trap = generic_trap;
-      trap_msg.spc_trap = specific_trap;
-      if (generic_trap == SNMP_GENTRAP_ENTERPRISESPC)
-      {
-        /* enterprise-Specific trap */
-        trap_msg.enterprise = eoid;
-      }
-      else
-      {
-        /* generic (MIB-II) trap */
-        snmp_get_snmpgrpid_ptr(&trap_msg.enterprise);
-      }
-      snmp_get_sysuptime(&trap_msg.ts);
-
-      /* pass 0, calculate length fields */
-      tot_len = snmp_varbind_list_sum(&trap_msg.outvb);
-      tot_len = snmp_trap_header_sum(&trap_msg, tot_len);
-
-      /* allocate pbuf(s) */
-      p = pbuf_alloc(PBUF_TRANSPORT, tot_len, PBUF_POOL);
-      if (p != NULL)
-      {
-        u16_t ofs;
-
-        /* pass 1, encode packet ino the pbuf(s) */
-        ofs = snmp_trap_header_enc(&trap_msg, p);
-        snmp_varbind_list_enc(&trap_msg.outvb, p, ofs);
-
-        snmp_inc_snmpouttraps();
-        snmp_inc_snmpoutpkts();
-
-        /** send to the TRAP destination */
-        udp_sendto(trap_msg.pcb, p, &trap_msg.dip, SNMP_TRAP_PORT);
-
-        pbuf_free(p);
-      }
-      else
-      {
-        return ERR_MEM;
+      if (dst_if != NULL) {
+        ip_addr_copy(dst_ip, dst_if->ip_addr);
+        /* @todo: what about IPv6? */
+        trap_msg.sip_raw[0] = ip4_addr1(&dst_ip);
+        trap_msg.sip_raw[1] = ip4_addr2(&dst_ip);
+        trap_msg.sip_raw[2] = ip4_addr3(&dst_ip);
+        trap_msg.sip_raw[3] = ip4_addr4(&dst_ip);
+        trap_msg.gen_trap = generic_trap;
+        trap_msg.spc_trap = specific_trap;
+        if (generic_trap == SNMP_GENTRAP_ENTERPRISESPC)
+        {
+          /* enterprise-Specific trap */
+          trap_msg.enterprise = eoid;
+        }
+        else
+        {
+          /* generic (MIB-II) trap */
+          snmp_get_snmpgrpid_ptr(&trap_msg.enterprise);
+        }
+        snmp_get_sysuptime(&trap_msg.ts);
+
+        /* pass 0, calculate length fields */
+        tot_len = snmp_varbind_list_sum(&trap_msg.outvb);
+        tot_len = snmp_trap_header_sum(&trap_msg, tot_len);
+
+        /* allocate pbuf(s) */
+        p = pbuf_alloc(PBUF_TRANSPORT, tot_len, PBUF_POOL);
+        if (p != NULL)
+        {
+          u16_t ofs;
+
+          /* pass 1, encode packet ino the pbuf(s) */
+          ofs = snmp_trap_header_enc(&trap_msg, p);
+          snmp_varbind_list_enc(&trap_msg.outvb, p, ofs);
+
+          snmp_inc_snmpouttraps();
+          snmp_inc_snmpoutpkts();
+
+          /** send to the TRAP destination */
+          udp_sendto(trap_msg.pcb, p, &trap_msg.dip, SNMP_TRAP_PORT);
+
+          pbuf_free(p);
+        } else {
+          err = ERR_MEM;
+        }
+      } else {
+        /* routing error */
+        err = ERR_RTE;
       }
     }
   }
-  return ERR_OK;
+  return err;
 }
 
 void
-- 
2.39.2