diff options
Diffstat (limited to 'meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch')
| -rw-r--r-- | meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch new file mode 100644 index 0000000000..04f2110f39 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/dont-return-incompletely-parsed-varbinds.patch @@ -0,0 +1,128 @@ +the snmp_pdu_parse() function could leave +incompletely parsed varBind variables in the list of variables in +case the parsing of the SNMP PDU failed. If later processing tries to +operate on the stale and incompletely processed varBind (e.g. when +printing the variables), this can lead to e.g. crashes or, possibly, +execution of arbitrary code + +Upstream-Status: Backport [net-snmp] + +Written-by: Robert Story + +diff -Nur net-snmp-5.7.2.1.orig/snmplib/snmp_api.c net-snmp-5.7.2.1/snmplib/snmp_api.c +--- net-snmp-5.7.2.1.orig/snmplib/snmp_api.c 2015-05-27 11:25:11.563747471 +0800 ++++ net-snmp-5.7.2.1/snmplib/snmp_api.c 2015-05-27 13:27:27.724748201 +0800 +@@ -4345,10 +4345,9 @@ + u_char type; + u_char msg_type; + u_char *var_val; +- int badtype = 0; + size_t len; + size_t four; +- netsnmp_variable_list *vp = NULL; ++ netsnmp_variable_list *vp = NULL, *vplast = NULL; + oid objid[MAX_OID_LEN]; + + /* +@@ -4487,38 +4486,24 @@ + (ASN_SEQUENCE | ASN_CONSTRUCTOR), + "varbinds"); + if (data == NULL) +- return -1; ++ goto fail; + + /* + * get each varBind sequence + */ + while ((int) *length > 0) { +- netsnmp_variable_list *vptemp; +- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp)); +- if (NULL == vptemp) { +- return -1; +- } +- if (NULL == vp) { +- pdu->variables = vptemp; +- } else { +- vp->next_variable = vptemp; +- } +- vp = vptemp; ++ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list); ++ if (NULL == vp) ++ goto fail; + +- vp->next_variable = NULL; +- vp->val.string = NULL; + vp->name_length = MAX_OID_LEN; +- vp->name = NULL; +- vp->index = 0; +- vp->data = NULL; +- vp->dataFreeHook = NULL; + DEBUGDUMPSECTION("recv", "VarBind"); + data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type, + &vp->val_len, &var_val, length); + if (data == NULL) +- return -1; ++ goto fail; + if (snmp_set_var_objid(vp, objid, vp->name_length)) +- return -1; ++ goto fail; + + len = MAX_PACKET_LENGTH; + DEBUGDUMPHEADER("recv", "Value"); +@@ -4583,7 +4568,7 @@ + vp->val.string = (u_char *) malloc(vp->val_len); + } + if (vp->val.string == NULL) { +- return -1; ++ goto fail; + } + asn_parse_string(var_val, &len, &vp->type, vp->val.string, + &vp->val_len); +@@ -4594,7 +4579,7 @@ + vp->val_len *= sizeof(oid); + vp->val.objid = (oid *) malloc(vp->val_len); + if (vp->val.objid == NULL) { +- return -1; ++ goto fail; + } + memmove(vp->val.objid, objid, vp->val_len); + break; +@@ -4606,19 +4591,35 @@ + case ASN_BIT_STR: + vp->val.bitstring = (u_char *) malloc(vp->val_len); + if (vp->val.bitstring == NULL) { +- return -1; ++ goto fail; + } + asn_parse_bitstring(var_val, &len, &vp->type, + vp->val.bitstring, &vp->val_len); + break; + default: + snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type); +- badtype = -1; ++ goto fail; + break; + } + DEBUGINDENTADD(-4); ++ ++ if (NULL == vplast) { ++ pdu->variables = vp; ++ } else { ++ vplast->next_variable = vp; ++ } ++ vplast = vp; ++ vp = NULL; + } +- return badtype; ++ return 0; ++ ++ fail: ++ DEBUGMSGTL(("recv", "error while parsing VarBindList\n")); ++ /** if we were parsing a var, remove it from the pdu and free it */ ++ if (vp) ++ snmp_free_var(vp); ++ ++ return -1; + } + + /* |