From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from ptx.hi.pengutronix.de ([2001:6f8:1178:2:5054:ff:fec0:8e10] ident=Debian-exim) by metis.ext.pengutronix.de with esmtp (Exim 4.72) (envelope-from ) id 1Wz4Ro-0007oT-6A for ptxdist@pengutronix.de; Mon, 23 Jun 2014 15:38:12 +0200 Received: from mol by ptx.hi.pengutronix.de with local (Exim 4.80) (envelope-from ) id 1Wz4Ro-00051w-4W for ptxdist@pengutronix.de; Mon, 23 Jun 2014 15:38:12 +0200 Date: Mon, 23 Jun 2014 15:38:12 +0200 From: Michael Olbrich Message-ID: <20140623133812.GI16937@pengutronix.de> References: <1403176327-26146-1-git-send-email-post@lespocky.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <1403176327-26146-1-git-send-email-post@lespocky.de> Subject: Re: [ptxdist] [PATCH] net-snmp: add security patch from upstream 5.7.2.1 Reply-To: ptxdist@pengutronix.de List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ptxdist-bounces@pengutronix.de Errors-To: ptxdist-bounces@pengutronix.de To: ptxdist@pengutronix.de On Thu, Jun 19, 2014 at 01:12:07PM +0200, Alexander Dahl wrote: > Upstream 5.7.2.1 was released fixing one security issue (possible denial > of service with ICMP-MIB on linux). However the tarball is broken, so we > just add this one patch on top of the working 5.7.2 tarball. Thanks, applied. Michael > > Signed-off-by: Alexander Dahl > --- > ...m-fenner-fix-ICMP-mib-table-handling-on-l.patch | 148 ++++++++++++++++++++ > ...0200-net-snmp-config-add-SYSROOT-support.patch} | 2 +- > ...e-udp-and-tcp-when-disable-agentx-dom-so.patch} | 6 +- > patches/net-snmp-5.7.2/series | 9 +- > 4 files changed, 158 insertions(+), 7 deletions(-) > create mode 100644 patches/net-snmp-5.7.2/0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch > rename patches/net-snmp-5.7.2/{0001-net-snmp-config-add-SYSROOT-support.patch => 0200-net-snmp-config-add-SYSROOT-support.patch} (98%) > rename patches/net-snmp-5.7.2/{0002-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch => 0201-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch} (90%) > > diff --git a/patches/net-snmp-5.7.2/0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch b/patches/net-snmp-5.7.2/0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch > new file mode 100644 > index 0000000..b0b2da8 > --- /dev/null > +++ b/patches/net-snmp-5.7.2/0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch > @@ -0,0 +1,148 @@ > +From: Wes Hardaker > +Date: Wed, 19 Feb 2014 15:21:57 -0800 > +Subject: [PATCH] bug fix from fenner: fix ICMP mib table handling on linux > + > +--- > + agent/mibgroup/mibII/icmp.c | 25 +++++++++++++++++++++++-- > + agent/mibgroup/mibII/kernel_linux.c | 19 +++++++++++++------ > + agent/mibgroup/mibII/kernel_linux.h | 4 ++-- > + 3 files changed, 38 insertions(+), 10 deletions(-) > + > +diff --git a/agent/mibgroup/mibII/icmp.c b/agent/mibgroup/mibII/icmp.c > +index 14c73a6..6d10426 100644 > +--- a/agent/mibgroup/mibII/icmp.c > ++++ b/agent/mibgroup/mibII/icmp.c > +@@ -106,10 +106,20 @@ struct icmp_msg_stats_table_entry { > + int flags; > + }; > + > ++#ifdef linux > ++/* Linux keeps track of all possible message types */ > ++#define ICMP_MSG_STATS_IPV4_COUNT 256 > ++#else > + #define ICMP_MSG_STATS_IPV4_COUNT 11 > ++#endif > + > + #ifdef NETSNMP_ENABLE_IPV6 > ++#ifdef linux > ++/* Linux keeps track of all possible message types */ > ++#define ICMP_MSG_STATS_IPV6_COUNT 256 > ++#else > + #define ICMP_MSG_STATS_IPV6_COUNT 14 > ++#endif > + #else > + #define ICMP_MSG_STATS_IPV6_COUNT 0 > + #endif /* NETSNMP_ENABLE_IPV6 */ > +@@ -177,7 +187,7 @@ icmp_msg_stats_load(netsnmp_cache *cache, void *vmagic) > + inc = 0; > + linux_read_icmp_msg_stat(&v4icmp, &v4icmpmsg, &flag); > + if (flag) { > +- while (254 != k) { > ++ while (255 >= k) { > + if (v4icmpmsg.vals[k].InType) { > + icmp_msg_stats_table[i].ipVer = 1; > + icmp_msg_stats_table[i].icmpMsgStatsType = k; > +@@ -267,7 +277,7 @@ icmp_msg_stats_load(netsnmp_cache *cache, void *vmagic) > + inc = 0; > + linux_read_icmp6_msg_stat(&v6icmp, &v6icmpmsg, &flag); > + if (flag) { > +- while (254 != k) { > ++ while (255 >= k) { > + if (v6icmpmsg.vals[k].InType) { > + icmp_msg_stats_table[i].ipVer = 2; > + icmp_msg_stats_table[i].icmpMsgStatsType = k; > +@@ -1050,6 +1060,12 @@ icmp_stats_table_handler(netsnmp_mib_handler *handler, > + continue; > + table_info = netsnmp_extract_table_info(request); > + subid = table_info->colnum; > ++ DEBUGMSGTL(( "mibII/icmpStatsTable", "oid: " )); > ++ DEBUGMSGOID(( "mibII/icmpStatsTable", request->requestvb->name, > ++ request->requestvb->name_length )); > ++ DEBUGMSG(( "mibII/icmpStatsTable", " In %d InErr %d Out %d OutErr %d\n", > ++ entry->icmpStatsInMsgs, entry->icmpStatsInErrors, > ++ entry->icmpStatsOutMsgs, entry->icmpStatsOutErrors )); > + > + switch (subid) { > + case ICMP_STAT_INMSG: > +@@ -1117,6 +1133,11 @@ icmp_msg_stats_table_handler(netsnmp_mib_handler *handler, > + continue; > + table_info = netsnmp_extract_table_info(request); > + subid = table_info->colnum; > ++ DEBUGMSGTL(( "mibII/icmpMsgStatsTable", "oid: " )); > ++ DEBUGMSGOID(( "mibII/icmpMsgStatsTable", request->requestvb->name, > ++ request->requestvb->name_length )); > ++ DEBUGMSG(( "mibII/icmpMsgStatsTable", " In %d Out %d Flags 0x%x\n", > ++ entry->icmpMsgStatsInPkts, entry->icmpMsgStatsOutPkts, entry->flags )); > + > + switch (subid) { > + case ICMP_MSG_STAT_IN_PKTS: > +diff --git a/agent/mibgroup/mibII/kernel_linux.c b/agent/mibgroup/mibII/kernel_linux.c > +index b21a166..ba320c7 100644 > +--- a/agent/mibgroup/mibII/kernel_linux.c > ++++ b/agent/mibgroup/mibII/kernel_linux.c > +@@ -81,9 +81,9 @@ decode_icmp_msg(char *line, char *data, struct icmp4_msg_mib *msg) > + index = strtol(token, &delim, 0); > + if (ERANGE == errno) { > + continue; > +- } else if (index > LONG_MAX) { > ++ } else if (index > 255) { > + continue; > +- } else if (index < LONG_MIN) { > ++ } else if (index < 0) { > + continue; > + } > + if (NULL == (token = strtok_r(dataptr, " ", &saveptr1))) > +@@ -94,9 +94,9 @@ decode_icmp_msg(char *line, char *data, struct icmp4_msg_mib *msg) > + index = strtol(token, &delim, 0); > + if (ERANGE == errno) { > + continue; > +- } else if (index > LONG_MAX) { > ++ } else if (index > 255) { > + continue; > +- } else if (index < LONG_MIN) { > ++ } else if (index < 0) { > + continue; > + } > + if(NULL == (token = strtok_r(dataptr, " ", &saveptr1))) > +@@ -426,14 +426,21 @@ linux_read_icmp6_parse(struct icmp6_mib *icmp6stat, > + > + vals = name; > + if (NULL != icmp6msgstat) { > ++ int type; > + if (0 == strncmp(name, "Icmp6OutType", 12)) { > + strsep(&vals, "e"); > +- icmp6msgstat->vals[atoi(vals)].OutType = stats; > ++ type = atoi(vals); > ++ if ( type < 0 || type > 255 ) > ++ continue; > ++ icmp6msgstat->vals[type].OutType = stats; > + *support = 1; > + continue; > + } else if (0 == strncmp(name, "Icmp6InType", 11)) { > + strsep(&vals, "e"); > +- icmp6msgstat->vals[atoi(vals)].InType = stats; > ++ type = atoi(vals); > ++ if ( type < 0 || type > 255 ) > ++ continue; > ++ icmp6msgstat->vals[type].InType = stats; > + *support = 1; > + continue; > + } > +diff --git a/agent/mibgroup/mibII/kernel_linux.h b/agent/mibgroup/mibII/kernel_linux.h > +index 6bf5d47..c6dfca9 100644 > +--- a/agent/mibgroup/mibII/kernel_linux.h > ++++ b/agent/mibgroup/mibII/kernel_linux.h > +@@ -121,11 +121,11 @@ struct icmp_msg_mib { > + > + /* Lets use wrapper structures for future expansion */ > + struct icmp4_msg_mib { > +- struct icmp_msg_mib vals[255]; > ++ struct icmp_msg_mib vals[256]; > + }; > + > + struct icmp6_msg_mib { > +- struct icmp_msg_mib vals[255]; > ++ struct icmp_msg_mib vals[256]; > + }; > + > + struct udp_mib { > diff --git a/patches/net-snmp-5.7.2/0001-net-snmp-config-add-SYSROOT-support.patch b/patches/net-snmp-5.7.2/0200-net-snmp-config-add-SYSROOT-support.patch > similarity index 98% > rename from patches/net-snmp-5.7.2/0001-net-snmp-config-add-SYSROOT-support.patch > rename to patches/net-snmp-5.7.2/0200-net-snmp-config-add-SYSROOT-support.patch > index a1161bb..9c46268 100644 > --- a/patches/net-snmp-5.7.2/0001-net-snmp-config-add-SYSROOT-support.patch > +++ b/patches/net-snmp-5.7.2/0200-net-snmp-config-add-SYSROOT-support.patch > @@ -12,7 +12,7 @@ Adapted to 5.7.2 > > Signed-off-by: Alexander Dahl > --- > - net-snmp-config.in | 8 ++++---- > + net-snmp-config.in | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/net-snmp-config.in b/net-snmp-config.in > diff --git a/patches/net-snmp-5.7.2/0002-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch b/patches/net-snmp-5.7.2/0201-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch > similarity index 90% > rename from patches/net-snmp-5.7.2/0002-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch > rename to patches/net-snmp-5.7.2/0201-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch > index cd6605a..fb7be8c 100644 > --- a/patches/net-snmp-5.7.2/0002-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch > +++ b/patches/net-snmp-5.7.2/0201-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch > @@ -1,7 +1,7 @@ > From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= > Date: Tue, 3 Sep 2013 21:12:46 +0200 > -Subject: [PATCH] Don't disable udp and tcp when --disable-agentx-dom-sock-only > - is given > +Subject: [PATCH] Don't disable udp and tcp when > + --disable-agentx-dom-sock-only is given > > The configure magic without this patch treats all > > @@ -13,7 +13,7 @@ the same; i.e. disables the udp and tcp transports. With this patch only the > first option does have this effect which matches the usual and expected > semantic. > --- > - configure.d/config_project_with_enable | 8 +++++--- > + configure.d/config_project_with_enable | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > diff --git a/configure.d/config_project_with_enable b/configure.d/config_project_with_enable > diff --git a/patches/net-snmp-5.7.2/series b/patches/net-snmp-5.7.2/series > index 1596362..f79fdd7 100644 > --- a/patches/net-snmp-5.7.2/series > +++ b/patches/net-snmp-5.7.2/series > @@ -1,5 +1,8 @@ > # generated by git-ptx-patches > #tag:base --start-number 1 > -0001-net-snmp-config-add-SYSROOT-support.patch > -0002-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch > -# 97810382623b86e69e492f3a5712bcf4 - git-ptx-patches magic > +#tag:upstream --start-number 1 > +0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch > +#tag:ptx --start-number 200 > +0200-net-snmp-config-add-SYSROOT-support.patch > +0201-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch > +# eda93cf4517290230962af7514bfd246 - git-ptx-patches magic > -- > 1.7.10.4 > > > -- > ptxdist mailing list > ptxdist@pengutronix.de > -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | -- ptxdist mailing list ptxdist@pengutronix.de