Commit e760d56c authored by Leonardo Arena's avatar Leonardo Arena
Browse files

main/net-snmp: security fix CVE-2012-6151. Fixes #2659

parent 4fba9281
......@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=net-snmp
pkgver=5.7.1
pkgrel=3
pkgrel=4
pkgdesc="Simple Network Management Protocol"
url="http://www.net-snmp.org/"
arch="all"
......@@ -19,6 +19,7 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz
snmpd.confd
snmptrapd.initd
snmptrapd.confd
CVE-2012-6151.patch
"
_builddir="$srcdir/$pkgname-$pkgver"
......@@ -155,4 +156,21 @@ bd7dc10ffb5839e35ec37effcc53c2ad netsnmp-swinst-crash.patch
198a4a7b80557fa8112394df5ec9914e snmpd.initd
96510a2f3bc9f21648b03f7e8d76c0d3 snmpd.confd
7ce3e9e880fc6313ae87eb000bae4bda snmptrapd.initd
363f7728a76bdfc46e29b7e1f5cf4950 snmptrapd.confd"
363f7728a76bdfc46e29b7e1f5cf4950 snmptrapd.confd
16c10a6412b5c8bf69c1d086c8e7365e CVE-2012-6151.patch"
sha256sums="7c71c9650c65b715356547e20ca2dbe6313944278af8cc19c32a5337f46b181f net-snmp-5.7.1.tar.gz
28448ebc7821d7f79bef0741b687ac40aa6419bc319578b92ed910157bd3a417 netsnmp-arp-netlink-fix.patch
377e54bc2b66590c1c5174bf2e2c820adcbecd703d67c68be13c325d04d7d0c4 netsnmp-swinst-crash.patch
2fa0a1ecd5f64827592bf55f0416cb61c6eec114aadd3e9d20aa92ce71c3a09f snmpd.initd
4a8eb647d8b8f25b03858e3815489eaf2cd8fd4932185f97a1d896f8ee2f85e8 snmpd.confd
4baf3ee9950ded78078d93c32833ff657d7e85580d64778cdc9a963cf24bc7ab snmptrapd.initd
095647b0e5be51e2bdd398267d7450da678b7d23cae6273f9b9461a26f89d69f snmptrapd.confd
010b4eeac6b436876890c283ac29385e63684fcd07d44eda93a635a945c63293 CVE-2012-6151.patch"
sha512sums="1e20181ab6c7c6062e0dd2f9b55f27bceb151b83e3174aa86e358e55be99792ef01251edc1401cde1192494599b17f65d390f7286b3571a733c32b12fac46993 net-snmp-5.7.1.tar.gz
c30845a2d9da624bd851cdb1b0534ed21f85a7956c43f9f99f79132d05619dec77e3b71ead942cc90f1418598a9656143cdba56c010318b21a05c8e5af3c28a2 netsnmp-arp-netlink-fix.patch
78c036f1e6b4e3592cb2a6ff9b22671c930e337e9644298a9f78b6f13af1d9241d9c15dcc996b441b51cb2d551bf2dfe5caf602ff1e17baf7b6532f3dc6ba5bd netsnmp-swinst-crash.patch
ad66fef217ad9884114e9006c20074288656cf79fae19b59941545bbb551adfaaf4ec54cd0802e096a715d35c49a7c94cd4369302f847b8ba2892bd9fb62848c snmpd.initd
3030ad11dd556569e481f108af69aef620b1fe67be8d8d12016f4aed1f0ffdb6c2ee87c40ed5bc883986568227e097cb7aa958658e01da51576848715bf65472 snmpd.confd
e9b29b89d27e88420932ea6ca077a6c807ae5555436cad4d840ec732b5851a498661d0d174f22d308f403904b623d7eadf9d201a539529ff57ced18bc8c58b6f snmptrapd.initd
9cafeece565ca09c2cc85fa9c805d9932a745aca45b999e7511ccd0ffe0a95eddc1441ed231acf52a811db124bc2f797612ebb182b0a8a959ad24506e790a0b1 snmptrapd.confd
f39cad8bb4ed38cfa1e53f58f09e8a83ce8c3272ef8a522422a4f7b759a56c81a4ae31f1ead8da9b800509ea3e9d48892612f27ddcbd2f3853d5f7535b00b0f1 CVE-2012-6151.patch"
--- a/agent/mibgroup/agentx/master_admin.c
+++ b/agent/mibgroup/agentx/master_admin.c
@@ -158,6 +158,7 @@
for (sp = session->subsession; sp != NULL; sp = sp->next) {
if (sp->sessid == sessid) {
+ netsnmp_remove_delegated_requests_for_session(sp);
unregister_mibs_by_session(sp);
unregister_index_by_session(sp);
unregister_sysORTable_by_session(sp);
--- a/agent/snmp_agent.c
+++ b/agent/snmp_agent.c
@@ -1415,6 +1415,7 @@
asp->treecache_num = -1;
asp->treecache_len = 0;
asp->reqinfo = SNMP_MALLOC_TYPEDEF(netsnmp_agent_request_info);
+ asp->flags = SNMP_AGENT_FLAGS_NONE;
DEBUGMSGTL(("verbose:asp", "asp %p reqinfo %p created\n",
asp, asp->reqinfo));
@@ -1463,6 +1464,9 @@
if (NULL == asp->treecache)
return 0;
+
+ if (asp->flags & SNMP_AGENT_FLAGS_CANCEL_IN_PROGRESS)
+ return 0;
for (i = 0; i <= asp->treecache_num; i++) {
for (request = asp->treecache[i].requests_begin; request;
@@ -1541,39 +1545,48 @@
netsnmp_remove_delegated_requests_for_session(netsnmp_session *sess)
{
netsnmp_agent_session *asp;
- int count = 0;
+ int total_count = 0;
for (asp = agent_delegated_list; asp; asp = asp->next) {
/*
* check each request
*/
+ int i;
+ int count = 0;
netsnmp_request_info *request;
- for(request = asp->requests; request; request = request->next) {
- /*
- * check session
- */
- netsnmp_assert(NULL!=request->subtree);
- if(request->subtree->session != sess)
- continue;
-
- /*
- * matched! mark request as done
- */
- netsnmp_request_set_error(request, SNMP_ERR_GENERR);
- ++count;
+ for (i = 0; i <= asp->treecache_num; i++) {
+ for (request = asp->treecache[i].requests_begin; request;
+ request = request->next) {
+ /*
+ * check session
+ */
+ netsnmp_assert(NULL!=request->subtree);
+ if(request->subtree->session != sess)
+ continue;
+
+ /*
+ * matched! mark request as done
+ */
+ netsnmp_request_set_error(request, SNMP_ERR_GENERR);
+ ++count;
+ }
+ }
+ if (count) {
+ asp->flags |= SNMP_AGENT_FLAGS_CANCEL_IN_PROGRESS;
+ total_count += count;
}
}
/*
* if we found any, that request may be finished now
*/
- if(count) {
+ if(total_count) {
DEBUGMSGTL(("snmp_agent", "removed %d delegated request(s) for session "
- "%8p\n", count, sess));
- netsnmp_check_outstanding_agent_requests();
+ "%8p\n", total_count, sess));
+ netsnmp_check_delegated_requests();
}
- return count;
+ return total_count;
}
int
@@ -2745,19 +2758,11 @@
return final_status;
}
-/*
- * loop through our sessions known delegated sessions and check to see
- * if they've completed yet. If there are no more delegated sessions,
- * check for and process any queued requests
- */
void
-netsnmp_check_outstanding_agent_requests(void)
+netsnmp_check_delegated_requests(void)
{
netsnmp_agent_session *asp, *prev_asp = NULL, *next_asp = NULL;
- /*
- * deal with delegated requests
- */
for (asp = agent_delegated_list; asp; asp = next_asp) {
next_asp = asp->next; /* save in case we clean up asp */
if (!netsnmp_check_for_delegated(asp)) {
@@ -2796,6 +2801,22 @@
prev_asp = asp;
}
}
+}
+
+/*
+ * loop through our sessions known delegated sessions and check to see
+ * if they've completed yet. If there are no more delegated sessions,
+ * check for and process any queued requests
+ */
+void
+netsnmp_check_outstanding_agent_requests(void)
+{
+ netsnmp_agent_session *asp;
+
+ /*
+ * deal with delegated requests
+ */
+ netsnmp_check_delegated_requests();
/*
* if we are processing a set and there are more delegated
@@ -2825,7 +2846,8 @@
netsnmp_processing_set = netsnmp_agent_queued_list;
DEBUGMSGTL(("snmp_agent", "SET request remains queued while "
- "delegated requests finish, asp = %8p\n", asp));
+ "delegated requests finish, asp = %8p\n",
+ agent_delegated_list));
break;
}
#endif /* NETSNMP_NO_WRITE_SUPPORT */
@@ -2886,6 +2908,10 @@
case SNMP_MSG_GETBULK:
case SNMP_MSG_GETNEXT:
netsnmp_check_all_requests_status(asp, 0);
+ if (asp->flags & SNMP_AGENT_FLAGS_CANCEL_IN_PROGRESS) {
+ DEBUGMSGTL(("snmp_agent","canceling next walk for asp %p\n", asp));
+ break;
+ }
handle_getnext_loop(asp);
if (netsnmp_check_for_delegated(asp) &&
netsnmp_check_transaction_id(asp->pdu->transid) !=
--- a/include/net-snmp/agent/snmp_agent.h
+++ b/include/net-snmp/agent/snmp_agent.h
@@ -31,6 +31,9 @@
#define SNMP_MAX_PDU_SIZE 64000 /* local constraint on PDU size sent by agent
* (see also SNMP_MAX_MSG_SIZE in snmp_api.h) */
+
+#define SNMP_AGENT_FLAGS_NONE 0x0
+#define SNMP_AGENT_FLAGS_CANCEL_IN_PROGRESS 0x1
/*
* If non-zero, causes the addresses of peers to be logged when receptions
@@ -205,6 +208,7 @@
int treecache_num; /* number of current cache entries */
netsnmp_cachemap *cache_store;
int vbcount;
+ int flags;
} netsnmp_agent_session;
/*
@@ -240,6 +244,7 @@
int init_master_agent(void);
void shutdown_master_agent(void);
int agent_check_and_process(int block);
+ void netsnmp_check_delegated_requests(void);
void netsnmp_check_outstanding_agent_requests(void);
int netsnmp_request_set_error(netsnmp_request_info *request,
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment