diff options
-rw-r--r-- | meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch | 128 | ||||
-rw-r--r-- | meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb | 1 |
2 files changed, 129 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch new file mode 100644 index 000000000..04f2110f3 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch | |||
@@ -0,0 +1,128 @@ | |||
1 | the snmp_pdu_parse() function could leave | ||
2 | incompletely parsed varBind variables in the list of variables in | ||
3 | case the parsing of the SNMP PDU failed. If later processing tries to | ||
4 | operate on the stale and incompletely processed varBind (e.g. when | ||
5 | printing the variables), this can lead to e.g. crashes or, possibly, | ||
6 | execution of arbitrary code | ||
7 | |||
8 | Upstream-Status: Backport [net-snmp] | ||
9 | |||
10 | Written-by: Robert Story | ||
11 | |||
12 | diff -Nur net-snmp-5.7.2.1.orig/snmplib/snmp_api.c net-snmp-5.7.2.1/snmplib/snmp_api.c | ||
13 | --- net-snmp-5.7.2.1.orig/snmplib/snmp_api.c 2015-05-27 11:25:11.563747471 +0800 | ||
14 | +++ net-snmp-5.7.2.1/snmplib/snmp_api.c 2015-05-27 13:27:27.724748201 +0800 | ||
15 | @@ -4345,10 +4345,9 @@ | ||
16 | u_char type; | ||
17 | u_char msg_type; | ||
18 | u_char *var_val; | ||
19 | - int badtype = 0; | ||
20 | size_t len; | ||
21 | size_t four; | ||
22 | - netsnmp_variable_list *vp = NULL; | ||
23 | + netsnmp_variable_list *vp = NULL, *vplast = NULL; | ||
24 | oid objid[MAX_OID_LEN]; | ||
25 | |||
26 | /* | ||
27 | @@ -4487,38 +4486,24 @@ | ||
28 | (ASN_SEQUENCE | ASN_CONSTRUCTOR), | ||
29 | "varbinds"); | ||
30 | if (data == NULL) | ||
31 | - return -1; | ||
32 | + goto fail; | ||
33 | |||
34 | /* | ||
35 | * get each varBind sequence | ||
36 | */ | ||
37 | while ((int) *length > 0) { | ||
38 | - netsnmp_variable_list *vptemp; | ||
39 | - vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp)); | ||
40 | - if (NULL == vptemp) { | ||
41 | - return -1; | ||
42 | - } | ||
43 | - if (NULL == vp) { | ||
44 | - pdu->variables = vptemp; | ||
45 | - } else { | ||
46 | - vp->next_variable = vptemp; | ||
47 | - } | ||
48 | - vp = vptemp; | ||
49 | + vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list); | ||
50 | + if (NULL == vp) | ||
51 | + goto fail; | ||
52 | |||
53 | - vp->next_variable = NULL; | ||
54 | - vp->val.string = NULL; | ||
55 | vp->name_length = MAX_OID_LEN; | ||
56 | - vp->name = NULL; | ||
57 | - vp->index = 0; | ||
58 | - vp->data = NULL; | ||
59 | - vp->dataFreeHook = NULL; | ||
60 | DEBUGDUMPSECTION("recv", "VarBind"); | ||
61 | data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type, | ||
62 | &vp->val_len, &var_val, length); | ||
63 | if (data == NULL) | ||
64 | - return -1; | ||
65 | + goto fail; | ||
66 | if (snmp_set_var_objid(vp, objid, vp->name_length)) | ||
67 | - return -1; | ||
68 | + goto fail; | ||
69 | |||
70 | len = MAX_PACKET_LENGTH; | ||
71 | DEBUGDUMPHEADER("recv", "Value"); | ||
72 | @@ -4583,7 +4568,7 @@ | ||
73 | vp->val.string = (u_char *) malloc(vp->val_len); | ||
74 | } | ||
75 | if (vp->val.string == NULL) { | ||
76 | - return -1; | ||
77 | + goto fail; | ||
78 | } | ||
79 | asn_parse_string(var_val, &len, &vp->type, vp->val.string, | ||
80 | &vp->val_len); | ||
81 | @@ -4594,7 +4579,7 @@ | ||
82 | vp->val_len *= sizeof(oid); | ||
83 | vp->val.objid = (oid *) malloc(vp->val_len); | ||
84 | if (vp->val.objid == NULL) { | ||
85 | - return -1; | ||
86 | + goto fail; | ||
87 | } | ||
88 | memmove(vp->val.objid, objid, vp->val_len); | ||
89 | break; | ||
90 | @@ -4606,19 +4591,35 @@ | ||
91 | case ASN_BIT_STR: | ||
92 | vp->val.bitstring = (u_char *) malloc(vp->val_len); | ||
93 | if (vp->val.bitstring == NULL) { | ||
94 | - return -1; | ||
95 | + goto fail; | ||
96 | } | ||
97 | asn_parse_bitstring(var_val, &len, &vp->type, | ||
98 | vp->val.bitstring, &vp->val_len); | ||
99 | break; | ||
100 | default: | ||
101 | snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type); | ||
102 | - badtype = -1; | ||
103 | + goto fail; | ||
104 | break; | ||
105 | } | ||
106 | DEBUGINDENTADD(-4); | ||
107 | + | ||
108 | + if (NULL == vplast) { | ||
109 | + pdu->variables = vp; | ||
110 | + } else { | ||
111 | + vplast->next_variable = vp; | ||
112 | + } | ||
113 | + vplast = vp; | ||
114 | + vp = NULL; | ||
115 | } | ||
116 | - return badtype; | ||
117 | + return 0; | ||
118 | + | ||
119 | + fail: | ||
120 | + DEBUGMSGTL(("recv", "error while parsing VarBindList\n")); | ||
121 | + /** if we were parsing a var, remove it from the pdu and free it */ | ||
122 | + if (vp) | ||
123 | + snmp_free_var(vp); | ||
124 | + | ||
125 | + return -1; | ||
126 | } | ||
127 | |||
128 | /* | ||
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb index 93d3a941e..2d9d9740f 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb | |||
@@ -21,6 +21,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.zip \ | |||
21 | file://net-snmp-testing-add-the-output-format-for-ptest.patch \ | 21 | file://net-snmp-testing-add-the-output-format-for-ptest.patch \ |
22 | file://run-ptest \ | 22 | file://run-ptest \ |
23 | file://0001-Fix-CVE-2014-2285.patch \ | 23 | file://0001-Fix-CVE-2014-2285.patch \ |
24 | file://dont-return-incompletely-parsed-varbinds.patch \ | ||
24 | " | 25 | " |
25 | 26 | ||
26 | SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18" | 27 | SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18" |