Commit d62a69d9 authored by Natanael Copa's avatar Natanael Copa

main/net-snmp: security fix for CVE-2015-5621

parent b9e85154
......@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=net-snmp
pkgver=5.7.3
pkgrel=2
pkgrel=3
pkgdesc="Simple Network Management Protocol"
url="http://www.net-snmp.org/"
arch="all"
......@@ -17,6 +17,8 @@ subpackages="$pkgname-doc $pkgname-dev $pkgname-libs $pkgname-agent-libs:alibs
source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz
netsnmp-swinst-crash.patch
fix-includes.patch
CVE-2015-5621.patch
snmpd.initd
snmpd.confd
snmptrapd.initd
......@@ -157,6 +159,7 @@ tools() {
md5sums="d4a3459e1577d0efa8d96ca70a885e53 net-snmp-5.7.3.tar.gz
4fd189ec7154114c9bd19f2b0058ae9c netsnmp-swinst-crash.patch
0fe11859a55f8e2489d5de629971a242 fix-includes.patch
2267947dd243b4fa85a3cf0c23dbaa76 CVE-2015-5621.patch
15faba29c3a61aaa41e4ca9b04f3cebf snmpd.initd
ea1296c366d6a7b0dab8a5b46e02d139 snmpd.confd
b929515d53d6f5dbf7f85c92efc90455 snmptrapd.initd
......@@ -164,6 +167,7 @@ b929515d53d6f5dbf7f85c92efc90455 snmptrapd.initd
sha256sums="12ef89613c7707dc96d13335f153c1921efc9d61d3708ef09f3fc4a7014fb4f0 net-snmp-5.7.3.tar.gz
2de23959acf74d8f893129819149d016cc22f2d60e15f875e4d17de33931013e netsnmp-swinst-crash.patch
7528f7d368a0a4536915805c065f8496c37cb99dbc74d508bed89831cd5af37e fix-includes.patch
4cfe532b39877d90836d04079ab7bff14727719e8ca719ead9d615b21cade255 CVE-2015-5621.patch
c8597688d848f10f305f883466300e48fa4976b782835a45781ad7e1a8374cd6 snmpd.initd
e1434b38611a436278b1f0974a55ea3374863a975405b5dc2da836e9acb082ff snmpd.confd
bad9efc1b131d7a0b5a05dedc589b011908ee9eb24472bffa6c5838d363db11e snmptrapd.initd
......@@ -171,6 +175,7 @@ bad9efc1b131d7a0b5a05dedc589b011908ee9eb24472bffa6c5838d363db11e snmptrapd.init
sha512sums="0758bba5844cfd6c80959ac16b83906a2f830ba49fd0ab1bf9e191dc6a79d312a2e4760bd53b3e1a1c82759481f0064d088d5a3cf475d84b25679a6bd0f049bb net-snmp-5.7.3.tar.gz
4ad92f50b14d5e27ba86256cc532a2dd055502f4d5fbb1700434f9f01f881fd09bb1eadb94e727554e1470f036707558314c64a66d0376b54e71ab31d5e4baa3 netsnmp-swinst-crash.patch
87a552bd2e41684bba6e87fbcf6454a85ee912d7a339411fda24cebddf7661f0856729e076a917920a542cf84b687ffd90a091daa15f2c48f0ff64f3a53c0ddb fix-includes.patch
2b2a7be54a570e3c1bb701f8ccfb98ea8e50a19fda021f43a521d4e968ded1bc5e794fc4348dff7fcdf57da34ff6b555398851bbccfcf92bb75ad6f365a80dba CVE-2015-5621.patch
b19c039ad45b1802a243b6c2b870aca1f251f8fc22530bbe3c61b037f289891efa692dc1d6bd53148ee35c115367cbb22200af480b7898bfb2cb0a4b0d51cd73 snmpd.initd
ad30bb027dbd18272a4ddb34009bdaa19df030f23956c5fa592e47cf76ad87175ae6b97659b8bbd866d79674bbc7b8b3a8a400746139c18de0eb86902706b65f snmpd.confd
17239cdeac6bf8ea47bc1238567f72be9c755591ca386a87e58ee5d3ac074e228b5cdd399618e7434a8c535537d6c6a48c8d66d84380b8944fe00514f090c00d snmptrapd.initd
......
From 3714c5be3212d2af61545439eeb432e5d84a8d39 Mon Sep 17 00:00:00 2001
From: Robert Story <rstory@localhost>
Date: Sat, 11 Apr 2015 18:49:02 -0400
Subject: [PATCH] CHANGES: BUG: #2615: Don't return incompletely parsed
varbinds
---
snmplib/snmp_api.c | 55 +++++++++++++++++++++++++++---------------------------
1 file changed, 28 insertions(+), 27 deletions(-)
diff --git a/snmplib/snmp_api.c b/snmplib/snmp_api.c
index 191debf..adae4e4 100644
--- a/snmplib/snmp_api.c
+++ b/snmplib/snmp_api.c
@@ -4350,10 +4350,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
u_char type;
u_char msg_type;
u_char *var_val;
- int badtype = 0;
size_t len;
size_t four;
- netsnmp_variable_list *vp = NULL;
+ netsnmp_variable_list *vp = NULL, *vplast = NULL;
oid objid[MAX_OID_LEN];
u_char *p;
@@ -4493,38 +4492,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
(ASN_SEQUENCE | ASN_CONSTRUCTOR),
"varbinds");
if (data == NULL)
- return -1;
+ goto fail;
/*
* get each varBind sequence
*/
while ((int) *length > 0) {
- netsnmp_variable_list *vptemp;
- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
- if (NULL == vptemp) {
- return -1;
- }
- if (NULL == vp) {
- pdu->variables = vptemp;
- } else {
- vp->next_variable = vptemp;
- }
- vp = vptemp;
+ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
+ if (NULL == vp)
+ goto fail;
- vp->next_variable = NULL;
- vp->val.string = NULL;
vp->name_length = MAX_OID_LEN;
- vp->name = NULL;
- vp->index = 0;
- vp->data = NULL;
- vp->dataFreeHook = NULL;
DEBUGDUMPSECTION("recv", "VarBind");
data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
&vp->val_len, &var_val, length);
if (data == NULL)
- return -1;
+ goto fail;
if (snmp_set_var_objid(vp, objid, vp->name_length))
- return -1;
+ goto fail;
len = MAX_PACKET_LENGTH;
DEBUGDUMPHEADER("recv", "Value");
@@ -4604,7 +4589,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
vp->val.string = (u_char *) malloc(vp->val_len);
}
if (vp->val.string == NULL) {
- return -1;
+ goto fail;
}
p = asn_parse_string(var_val, &len, &vp->type, vp->val.string,
&vp->val_len);
@@ -4619,7 +4604,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
vp->val_len *= sizeof(oid);
vp->val.objid = (oid *) malloc(vp->val_len);
if (vp->val.objid == NULL) {
- return -1;
+ goto fail;
}
memmove(vp->val.objid, objid, vp->val_len);
break;
@@ -4631,7 +4616,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
case ASN_BIT_STR:
vp->val.bitstring = (u_char *) malloc(vp->val_len);
if (vp->val.bitstring == NULL) {
- return -1;
+ goto fail;
}
p = asn_parse_bitstring(var_val, &len, &vp->type,
vp->val.bitstring, &vp->val_len);
@@ -4640,12 +4625,28 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
break;
default:
snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
- badtype = -1;
+ goto fail;
break;
}
DEBUGINDENTADD(-4);
+
+ if (NULL == vplast) {
+ pdu->variables = vp;
+ } else {
+ vplast->next_variable = vp;
+ }
+ vplast = vp;
+ vp = NULL;
}
- return badtype;
+ return 0;
+
+ fail:
+ DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
+ /** if we were parsing a var, remove it from the pdu and free it */
+ if (vp)
+ snmp_free_var(vp);
+
+ return -1;
}
/*
--
2.5.0
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment