2 files changed, 129 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch
new file mode 100644
index 000000000..04f2110f3
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch
@@ -0,0 +1,128 @@
+the snmp_pdu_parse() function could leave
+incompletely parsed varBind variables in the list of variables in
+case the parsing of the SNMP PDU failed. If later processing tries to
+operate on the stale and incompletely processed varBind (e.g. when
+printing the variables), this can lead to e.g. crashes or, possibly,
+execution of arbitrary code
+Upstream-Status: Backport [net-snmp]
+Written-by: Robert Story
+diff -Nur net-snmp-5.7.2.1.orig/snmplib/snmp_api.c net-snmp-5.7.2.1/snmplib/snmp_api.c
+--- net-snmp-5.7.2.1.orig/snmplib/snmp_api.c    2015-05-27 11:25:11.563747471 +0800
+++ net-snmp-5.7.2.1/snmplib/snmp_api.c 2015-05-27 13:27:27.724748201 +0800
+@@ -4345,10 +4345,9 @@
+     u_char          type;
+     u_char          msg_type;
+     u_char         *var_val;
+-    int             badtype = 0;
+     size_t          len;
+     size_t          four;
+-    netsnmp_variable_list *vp = NULL;
+    netsnmp_variable_list *vp = NULL, *vplast = NULL;
+     oid             objid[MAX_OID_LEN];
+ 
+     /*
+@@ -4487,38 +4486,24 @@
+                               (ASN_SEQUENCE | ASN_CONSTRUCTOR),
+                               "varbinds");
+     if (data == NULL)
+-        return -1;
+        goto fail;
+ 
+     /*
+      * get each varBind sequence 
+      */
+     while ((int) *length > 0) {
+-        netsnmp_variable_list *vptemp;
+-        vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
+-        if (NULL == vptemp) {
+-            return -1;
+-        }
+-        if (NULL == vp) {
+-            pdu->variables = vptemp;
+-        } else {
+-            vp->next_variable = vptemp;
+-        }
+-        vp = vptemp;
+        vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
+        if (NULL == vp)
+            goto fail;
+ 
+-        vp->next_variable = NULL;
+-        vp->val.string = NULL;
+         vp->name_length = MAX_OID_LEN;
+-        vp->name = NULL;
+-        vp->index = 0;
+-        vp->data = NULL;
+-        vp->dataFreeHook = NULL;
+         DEBUGDUMPSECTION("recv", "VarBind");
+         data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
+                                  &vp->val_len, &var_val, length);
+         if (data == NULL)
+-            return -1;
+            goto fail;
+         if (snmp_set_var_objid(vp, objid, vp->name_length))
+-            return -1;
+            goto fail;
+ 
+         len = MAX_PACKET_LENGTH;
+         DEBUGDUMPHEADER("recv", "Value");
+@@ -4583,7 +4568,7 @@
+                 vp->val.string = (u_char *) malloc(vp->val_len);
+             }
+             if (vp->val.string == NULL) {
+-                return -1;
+                goto fail;
+             }
+             asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+                              &vp->val_len);
+@@ -4594,7 +4579,7 @@
+             vp->val_len *= sizeof(oid);
+             vp->val.objid = (oid *) malloc(vp->val_len);
+             if (vp->val.objid == NULL) {
+-                return -1;
+                goto fail;
+             }
+             memmove(vp->val.objid, objid, vp->val_len);
+             break;
+@@ -4606,19 +4591,35 @@
+         case ASN_BIT_STR:
+             vp->val.bitstring = (u_char *) malloc(vp->val_len);
+             if (vp->val.bitstring == NULL) {
+-                return -1;
+                goto fail;
+             }
+             asn_parse_bitstring(var_val, &len, &vp->type,
+                                 vp->val.bitstring, &vp->val_len);
+             break;
+         default:
+             snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
+-            badtype = -1;
+            goto fail;
+             break;
+         }
+         DEBUGINDENTADD(-4);
+
+        if (NULL == vplast) {
+            pdu->variables = vp;
+        } else {
+            vplast->next_variable = vp;
+        }
+        vplast = vp;
+        vp = NULL;
+     }
+-    return badtype;
+    return 0;
+
+  fail:
+    DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
+    /** if we were parsing a var, remove it from the pdu and free it */
+    if (vp)
+        snmp_free_var(vp);
+
+    return -1;
+ }
+ 
+ /*
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
index 93d3a941e..2d9d9740f 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
@@ -21,6 +21,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.zip \
        file://net-snmp-testing-add-the-output-format-for-ptest.patch \
        file://run-ptest \
        file://0001-Fix-CVE-2014-2285.patch \
+        file://dont-return-incompletely-parsed-varbinds.patch \
 "
 SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18"

diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch new file mode 100644 index 000000000..04f2110f3 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch
@@ -0,0 +1,128 @@
		1	the snmp_pdu_parse() function could leave
		2	incompletely parsed varBind variables in the list of variables in
		3	case the parsing of the SNMP PDU failed. If later processing tries to
		4	operate on the stale and incompletely processed varBind (e.g. when
		5	printing the variables), this can lead to e.g. crashes or, possibly,
		6	execution of arbitrary code
		7
		8	Upstream-Status: Backport [net-snmp]
		9
		10	Written-by: Robert Story
		11
		12	diff -Nur net-snmp-5.7.2.1.orig/snmplib/snmp_api.c net-snmp-5.7.2.1/snmplib/snmp_api.c
		13	--- net-snmp-5.7.2.1.orig/snmplib/snmp_api.c 2015-05-27 11:25:11.563747471 +0800
		14	+++ net-snmp-5.7.2.1/snmplib/snmp_api.c 2015-05-27 13:27:27.724748201 +0800
		15	@@ -4345,10 +4345,9 @@
		16	u_char type;
		17	u_char msg_type;
		18	u_char *var_val;
		19	- int badtype = 0;
		20	size_t len;
		21	size_t four;
		22	- netsnmp_variable_list *vp = NULL;
		23	+ netsnmp_variable_list vp = NULL, vplast = NULL;
		24	oid objid[MAX_OID_LEN];
		25
		26	/*
		27	@@ -4487,38 +4486,24 @@
		28	(ASN_SEQUENCE \| ASN_CONSTRUCTOR),
		29	"varbinds");
		30	if (data == NULL)
		31	- return -1;
		32	+ goto fail;
		33
		34	/*
		35	* get each varBind sequence
		36	*/
		37	while ((int) *length > 0) {
		38	- netsnmp_variable_list *vptemp;
		39	- vptemp = (netsnmp_variable_list ) malloc(sizeof(vptemp));
		40	- if (NULL == vptemp) {
		41	- return -1;
		42	- }
		43	- if (NULL == vp) {
		44	- pdu->variables = vptemp;
		45	- } else {
		46	- vp->next_variable = vptemp;
		47	- }
		48	- vp = vptemp;
		49	+ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
		50	+ if (NULL == vp)
		51	+ goto fail;
		52
		53	- vp->next_variable = NULL;
		54	- vp->val.string = NULL;
		55	vp->name_length = MAX_OID_LEN;
		56	- vp->name = NULL;
		57	- vp->index = 0;
		58	- vp->data = NULL;
		59	- vp->dataFreeHook = NULL;
		60	DEBUGDUMPSECTION("recv", "VarBind");
		61	data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
		62	&vp->val_len, &var_val, length);
		63	if (data == NULL)
		64	- return -1;
		65	+ goto fail;
		66	if (snmp_set_var_objid(vp, objid, vp->name_length))
		67	- return -1;
		68	+ goto fail;
		69
		70	len = MAX_PACKET_LENGTH;
		71	DEBUGDUMPHEADER("recv", "Value");
		72	@@ -4583,7 +4568,7 @@
		73	vp->val.string = (u_char *) malloc(vp->val_len);
		74	}
		75	if (vp->val.string == NULL) {
		76	- return -1;
		77	+ goto fail;
		78	}
		79	asn_parse_string(var_val, &len, &vp->type, vp->val.string,
		80	&vp->val_len);
		81	@@ -4594,7 +4579,7 @@
		82	vp->val_len *= sizeof(oid);
		83	vp->val.objid = (oid *) malloc(vp->val_len);
		84	if (vp->val.objid == NULL) {
		85	- return -1;
		86	+ goto fail;
		87	}
		88	memmove(vp->val.objid, objid, vp->val_len);
		89	break;
		90	@@ -4606,19 +4591,35 @@
		91	case ASN_BIT_STR:
		92	vp->val.bitstring = (u_char *) malloc(vp->val_len);
		93	if (vp->val.bitstring == NULL) {
		94	- return -1;
		95	+ goto fail;
		96	}
		97	asn_parse_bitstring(var_val, &len, &vp->type,
		98	vp->val.bitstring, &vp->val_len);
		99	break;
		100	default:
		101	snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
		102	- badtype = -1;
		103	+ goto fail;
		104	break;
		105	}
		106	DEBUGINDENTADD(-4);
		107	+
		108	+ if (NULL == vplast) {
		109	+ pdu->variables = vp;
		110	+ } else {
		111	+ vplast->next_variable = vp;
		112	+ }
		113	+ vplast = vp;
		114	+ vp = NULL;
		115	}
		116	- return badtype;
		117	+ return 0;
		118	+
		119	+ fail:
		120	+ DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
		121	+ /** if we were parsing a var, remove it from the pdu and free it */
		122	+ if (vp)
		123	+ snmp_free_var(vp);
		124	+
		125	+ return -1;
		126	}
		127
		128	/*


diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb index 93d3a941e..2d9d9740f 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.1.bb
@@ -21,6 +21,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.zip \
21	file://net-snmp-testing-add-the-output-format-for-ptest.patch \	21	file://net-snmp-testing-add-the-output-format-for-ptest.patch \
22	file://run-ptest \	22	file://run-ptest \
23	file://0001-Fix-CVE-2014-2285.patch \	23	file://0001-Fix-CVE-2014-2285.patch \
		24	file://dont-return-incompletely-parsed-varbinds.patch \
24	"	25	"
25		26
26	SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18"	27	SRC_URI[md5sum] = "a2c83518648b0f2a5d378625e45c0e18"