net-snmp-5.7.2: fix CVE-2014-2284

The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5.5.2.1, 5.6.x before 5.6.2.1, and 5.7.x before 5.7.2.1 does not properly validate input, which allows remote attackers to cause a denial of service via unspecified vectors. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2284 Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: yanjun.zhu <yanjun.zhu@windriver.com> 2014-05-09 16:40:36 +0800
committer: Joe MacDonald <joe@deserted.net> 2014-05-09 10:18:40 -0400
commit: 7361149c47dc846552e574456c607d1bef508b08 (patch)
tree: 883bb95e58fae780fc7ec8045cc7a287ca7f294e
parent: b9ad53cccef2d8e695d9459904bac277e0406b89 (diff)
download: meta-openembedded-7361149c47dc846552e574456c607d1bef508b08.tar.gz
2 files changed, 127 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch b/meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch
new file mode 100644
index 000000000..4ad906432
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch
@@ -0,0 +1,126 @@
+diff -urpN a/agent/mibgroup/mibII/icmp.c b/agent/mibgroup/mibII/icmp.c
+--- a/agent/mibgroup/mibII/icmp.c
+++ b/agent/mibgroup/mibII/icmp.c
+@@ -106,10 +106,20 @@ struct icmp_msg_stats_table_entry {
+         int flags;
+ };
+ 
+#ifdef linux
+/* Linux keeps track of all possible message types */
+#define ICMP_MSG_STATS_IPV4_COUNT 256
+#else
+ #define ICMP_MSG_STATS_IPV4_COUNT 11
+#endif
+ 
+ #ifdef NETSNMP_ENABLE_IPV6
+#ifdef linux
+/* Linux keeps track of all possible message types */
+#define ICMP_MSG_STATS_IPV6_COUNT 256
+#else
+ #define ICMP_MSG_STATS_IPV6_COUNT 14
+#endif
+ #else
+ #define ICMP_MSG_STATS_IPV6_COUNT 0
+ #endif /* NETSNMP_ENABLE_IPV6 */
+@@ -177,7 +187,7 @@ icmp_msg_stats_load(netsnmp_cache *cache
+     inc = 0;
+     linux_read_icmp_msg_stat(&v4icmp, &v4icmpmsg, &flag);
+     if (flag) {
+-        while (254 != k) {
+        while (255 >= k) {
+             if (v4icmpmsg.vals[k].InType) {
+                 icmp_msg_stats_table[i].ipVer = 1;
+                 icmp_msg_stats_table[i].icmpMsgStatsType = k;
+@@ -1050,6 +1060,12 @@ icmp_stats_table_handler(netsnmp_mib_han
+                                        continue;
+                                table_info = netsnmp_extract_table_info(request);
+                                subid      = table_info->colnum;
+                               DEBUGMSGTL(( "mibII/icmpStatsTable", "oid: " ));
+                               DEBUGMSGOID(( "mibII/icmpStatsTable", request->requestvb->name,
+                                                request->requestvb->name_length ));
+                               DEBUGMSG(( "mibII/icmpStatsTable", " In %d InErr %d Out %d OutErr %d\n",
+                                             entry->icmpStatsInMsgs, entry->icmpStatsInErrors,
+                                             entry->icmpStatsOutMsgs, entry->icmpStatsOutErrors ));
+ 
+                                switch (subid) {
+                                        case ICMP_STAT_INMSG:
+@@ -1117,6 +1133,11 @@ icmp_msg_stats_table_handler(netsnmp_mib
+                     continue;
+                 table_info = netsnmp_extract_table_info(request);
+                 subid = table_info->colnum;
+               DEBUGMSGTL(( "mibII/icmpMsgStatsTable", "oid: " ));
+               DEBUGMSGOID(( "mibII/icmpMsgStatsTable", request->requestvb->name,
+                               request->requestvb->name_length ));
+               DEBUGMSG(( "mibII/icmpMsgStatsTable", " In %d Out %d Flags 0x%x\n",
+                               entry->icmpMsgStatsInPkts, entry->icmpMsgStatsOutPkts, entry->flags ));
+ 
+                 switch (subid) {
+                     case ICMP_MSG_STAT_IN_PKTS:
+diff -urpN a/agent/mibgroup/mibII/kernel_linux.c b/agent/mibgroup/mibII/kernel_linux.c
+--- a/agent/mibgroup/mibII/kernel_linux.c
+++ b/agent/mibgroup/mibII/kernel_linux.c
+@@ -81,9 +81,9 @@ decode_icmp_msg(char *line, char *data, 
+             index = strtol(token, &delim, 0);
+             if (ERANGE == errno) {
+                 continue;
+-            } else if (index > LONG_MAX) {
+            } else if (index > 255) {
+                 continue;
+-            } else if (index < LONG_MIN) {
+            } else if (index < 0) {
+                 continue;
+             }
+             if (NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
+@@ -94,9 +94,9 @@ decode_icmp_msg(char *line, char *data, 
+             index = strtol(token, &delim, 0);
+             if (ERANGE == errno) {
+                 continue;
+-            } else if (index > LONG_MAX) {
+            } else if (index > 255) {
+                 continue;
+-            } else if (index < LONG_MIN) {
+            } else if (index < 0) {
+                 continue;
+             }
+             if(NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
+@@ -426,14 +426,21 @@ linux_read_icmp6_parse(struct icmp6_mib 
+ 
+         vals = name;
+         if (NULL != icmp6msgstat) {
+            int type;
+             if (0 == strncmp(name, "Icmp6OutType", 12)) {
+                 strsep(&vals, "e");
+-                icmp6msgstat->vals[atoi(vals)].OutType = stats;
+                type = atoi(vals);
+                if ( type < 0 || type > 255 )
+                    continue;
+                icmp6msgstat->vals[type].OutType = stats;
+                 *support = 1;
+                 continue;
+             } else if (0 == strncmp(name, "Icmp6InType", 11)) {
+                 strsep(&vals, "e");
+-                icmp6msgstat->vals[atoi(vals)].InType = stats;
+                type = atoi(vals);
+                if ( type < 0 || type > 255 )
+                    continue;
+                icmp6msgstat->vals[type].OutType = stats;
+                 *support = 1;
+                 continue;
+             }
+diff -urpN a/agent/mibgroup/mibII/kernel_linux.h b/agent/mibgroup/mibII/kernel_linux.h
+--- a/agent/mibgroup/mibII/kernel_linux.h
+++ b/agent/mibgroup/mibII/kernel_linux.h
+@@ -121,11 +121,11 @@ struct icmp_msg_mib {
+ 
+ /* Lets use wrapper structures for future expansion */
+ struct icmp4_msg_mib {
+-    struct icmp_msg_mib vals[255];
+    struct icmp_msg_mib vals[256];
+ };
+ 
+ struct icmp6_msg_mib {
+-    struct icmp_msg_mib vals[255];
+    struct icmp_msg_mib vals[256];
+ };
+ 
+ struct udp_mib {
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb
index f6656ad7d..8f20ce9a3 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
        file://snmpd.service \
        file://snmptrapd.service \
        file://ifmib.patch \
+        file://net-snmp-5.7.2-fix-CVE-2014-2284.patch \
 "
 SRC_URI[md5sum] = "5bddd02e2f82b62daa79f82717737a14"
author	yanjun.zhu <yanjun.zhu@windriver.com>	2014-05-09 16:40:36 +0800
committer	Joe MacDonald <joe@deserted.net>	2014-05-09 10:18:40 -0400
commit	7361149c47dc846552e574456c607d1bef508b08 (patch)
tree	883bb95e58fae780fc7ec8045cc7a287ca7f294e
parent	b9ad53cccef2d8e695d9459904bac277e0406b89 (diff)
download	meta-openembedded-7361149c47dc846552e574456c607d1bef508b08.tar.gz

diff --git a/meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch b/meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch new file mode 100644 index 000000000..4ad906432 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch
@@ -0,0 +1,126 @@
		1	diff -urpN a/agent/mibgroup/mibII/icmp.c b/agent/mibgroup/mibII/icmp.c
		2	--- a/agent/mibgroup/mibII/icmp.c
		3	+++ b/agent/mibgroup/mibII/icmp.c
		4	@@ -106,10 +106,20 @@ struct icmp_msg_stats_table_entry {
		5	int flags;
		6	};
		7
		8	+#ifdef linux
		9	+/* Linux keeps track of all possible message types */
		10	+#define ICMP_MSG_STATS_IPV4_COUNT 256
		11	+#else
		12	#define ICMP_MSG_STATS_IPV4_COUNT 11
		13	+#endif
		14
		15	#ifdef NETSNMP_ENABLE_IPV6
		16	+#ifdef linux
		17	+/* Linux keeps track of all possible message types */
		18	+#define ICMP_MSG_STATS_IPV6_COUNT 256
		19	+#else
		20	#define ICMP_MSG_STATS_IPV6_COUNT 14
		21	+#endif
		22	#else
		23	#define ICMP_MSG_STATS_IPV6_COUNT 0
		24	#endif /* NETSNMP_ENABLE_IPV6 */
		25	@@ -177,7 +187,7 @@ icmp_msg_stats_load(netsnmp_cache *cache
		26	inc = 0;
		27	linux_read_icmp_msg_stat(&v4icmp, &v4icmpmsg, &flag);
		28	if (flag) {
		29	- while (254 != k) {
		30	+ while (255 >= k) {
		31	if (v4icmpmsg.vals[k].InType) {
		32	icmp_msg_stats_table[i].ipVer = 1;
		33	icmp_msg_stats_table[i].icmpMsgStatsType = k;
		34	@@ -1050,6 +1060,12 @@ icmp_stats_table_handler(netsnmp_mib_han
		35	continue;
		36	table_info = netsnmp_extract_table_info(request);
		37	subid = table_info->colnum;
		38	+ DEBUGMSGTL(( "mibII/icmpStatsTable", "oid: " ));
		39	+ DEBUGMSGOID(( "mibII/icmpStatsTable", request->requestvb->name,
		40	+ request->requestvb->name_length ));
		41	+ DEBUGMSG(( "mibII/icmpStatsTable", " In %d InErr %d Out %d OutErr %d\n",
		42	+ entry->icmpStatsInMsgs, entry->icmpStatsInErrors,
		43	+ entry->icmpStatsOutMsgs, entry->icmpStatsOutErrors ));
		44
		45	switch (subid) {
		46	case ICMP_STAT_INMSG:
		47	@@ -1117,6 +1133,11 @@ icmp_msg_stats_table_handler(netsnmp_mib
		48	continue;
		49	table_info = netsnmp_extract_table_info(request);
		50	subid = table_info->colnum;
		51	+ DEBUGMSGTL(( "mibII/icmpMsgStatsTable", "oid: " ));
		52	+ DEBUGMSGOID(( "mibII/icmpMsgStatsTable", request->requestvb->name,
		53	+ request->requestvb->name_length ));
		54	+ DEBUGMSG(( "mibII/icmpMsgStatsTable", " In %d Out %d Flags 0x%x\n",
		55	+ entry->icmpMsgStatsInPkts, entry->icmpMsgStatsOutPkts, entry->flags ));
		56
		57	switch (subid) {
		58	case ICMP_MSG_STAT_IN_PKTS:
		59	diff -urpN a/agent/mibgroup/mibII/kernel_linux.c b/agent/mibgroup/mibII/kernel_linux.c
		60	--- a/agent/mibgroup/mibII/kernel_linux.c
		61	+++ b/agent/mibgroup/mibII/kernel_linux.c
		62	@@ -81,9 +81,9 @@ decode_icmp_msg(char line, char data,
		63	index = strtol(token, &delim, 0);
		64	if (ERANGE == errno) {
		65	continue;
		66	- } else if (index > LONG_MAX) {
		67	+ } else if (index > 255) {
		68	continue;
		69	- } else if (index < LONG_MIN) {
		70	+ } else if (index < 0) {
		71	continue;
		72	}
		73	if (NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
		74	@@ -94,9 +94,9 @@ decode_icmp_msg(char line, char data,
		75	index = strtol(token, &delim, 0);
		76	if (ERANGE == errno) {
		77	continue;
		78	- } else if (index > LONG_MAX) {
		79	+ } else if (index > 255) {
		80	continue;
		81	- } else if (index < LONG_MIN) {
		82	+ } else if (index < 0) {
		83	continue;
		84	}
		85	if(NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
		86	@@ -426,14 +426,21 @@ linux_read_icmp6_parse(struct icmp6_mib
		87
		88	vals = name;
		89	if (NULL != icmp6msgstat) {
		90	+ int type;
		91	if (0 == strncmp(name, "Icmp6OutType", 12)) {
		92	strsep(&vals, "e");
		93	- icmp6msgstat->vals[atoi(vals)].OutType = stats;
		94	+ type = atoi(vals);
		95	+ if ( type < 0 \|\| type > 255 )
		96	+ continue;
		97	+ icmp6msgstat->vals[type].OutType = stats;
		98	*support = 1;
		99	continue;
		100	} else if (0 == strncmp(name, "Icmp6InType", 11)) {
		101	strsep(&vals, "e");
		102	- icmp6msgstat->vals[atoi(vals)].InType = stats;
		103	+ type = atoi(vals);
		104	+ if ( type < 0 \|\| type > 255 )
		105	+ continue;
		106	+ icmp6msgstat->vals[type].OutType = stats;
		107	*support = 1;
		108	continue;
		109	}
		110	diff -urpN a/agent/mibgroup/mibII/kernel_linux.h b/agent/mibgroup/mibII/kernel_linux.h
		111	--- a/agent/mibgroup/mibII/kernel_linux.h
		112	+++ b/agent/mibgroup/mibII/kernel_linux.h
		113	@@ -121,11 +121,11 @@ struct icmp_msg_mib {
		114
		115	/* Lets use wrapper structures for future expansion */
		116	struct icmp4_msg_mib {
		117	- struct icmp_msg_mib vals[255];
		118	+ struct icmp_msg_mib vals[256];
		119	};
		120
		121	struct icmp6_msg_mib {
		122	- struct icmp_msg_mib vals[255];
		123	+ struct icmp_msg_mib vals[256];
		124	};
		125
		126	struct udp_mib {


diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb index f6656ad7d..8f20ce9a3 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
16	file://snmpd.service \	16	file://snmpd.service \
17	file://snmptrapd.service \	17	file://snmptrapd.service \
18	file://ifmib.patch \	18	file://ifmib.patch \
		19	file://net-snmp-5.7.2-fix-CVE-2014-2284.patch \
19	"	20	"
20		21
21	SRC_URI[md5sum] = "5bddd02e2f82b62daa79f82717737a14"	22	SRC_URI[md5sum] = "5bddd02e2f82b62daa79f82717737a14"