From: Clemens Gruber <clemens.gruber@pqgruber.com>
To: ptxdist@pengutronix.de
Cc: Clemens Gruber <clemens.gruber@pqgruber.com>
Subject: [ptxdist] [PATCH 6/7] net-snmp: add patch for CVE-2015-5621
Date: Fri, 21 Apr 2017 22:42:05 +0200 [thread overview]
Message-ID: <20170421204206.31312-6-clemens.gruber@pqgruber.com> (raw)
In-Reply-To: <20170421204206.31312-1-clemens.gruber@pqgruber.com>
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
...02-Bug-788964-net-snmp-snmp_pdu_parse-DoS.patch | 128 +++++++++++++++++++++
patches/net-snmp-5.7.3/series | 3 +-
2 files changed, 130 insertions(+), 1 deletion(-)
create mode 100644 patches/net-snmp-5.7.3/0002-Bug-788964-net-snmp-snmp_pdu_parse-DoS.patch
diff --git a/patches/net-snmp-5.7.3/0002-Bug-788964-net-snmp-snmp_pdu_parse-DoS.patch b/patches/net-snmp-5.7.3/0002-Bug-788964-net-snmp-snmp_pdu_parse-DoS.patch
new file mode 100644
index 000000000..7b804576b
--- /dev/null
+++ b/patches/net-snmp-5.7.3/0002-Bug-788964-net-snmp-snmp_pdu_parse-DoS.patch
@@ -0,0 +1,128 @@
+From: Hideki Yamane <henrich@debian.org>
+Date: Thu, 18 Jun 2015 06:21:20 +0900
+Subject: [PATCH] Bug#788964: net-snmp snmp_pdu_parse() DoS
+
+taken patch from https://sourceforge.net/p/net-snmp/code/ci/f23bcd3ac6ddee5d0a48f9703007ccc738914791/
+---
+ snmplib/snmp_api.c | 55 +++++++++++++++++++++++++++---------------------------
+ 1 file changed, 28 insertions(+), 27 deletions(-)
+
+diff --git a/snmplib/snmp_api.c b/snmplib/snmp_api.c
+index 191debf09a3d..adae4e4a9550 100644
+--- a/snmplib/snmp_api.c
++++ b/snmplib/snmp_api.c
+@@ -4350,10 +4350,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
+ u_char type;
+ u_char msg_type;
+ u_char *var_val;
+- int badtype = 0;
+ size_t len;
+ size_t four;
+- netsnmp_variable_list *vp = NULL;
++ netsnmp_variable_list *vp = NULL, *vplast = NULL;
+ oid objid[MAX_OID_LEN];
+ u_char *p;
+
+@@ -4493,38 +4492,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
+ (ASN_SEQUENCE | ASN_CONSTRUCTOR),
+ "varbinds");
+ if (data == NULL)
+- return -1;
++ goto fail;
+
+ /*
+ * get each varBind sequence
+ */
+ while ((int) *length > 0) {
+- netsnmp_variable_list *vptemp;
+- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
+- if (NULL == vptemp) {
+- return -1;
+- }
+- if (NULL == vp) {
+- pdu->variables = vptemp;
+- } else {
+- vp->next_variable = vptemp;
+- }
+- vp = vptemp;
++ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
++ if (NULL == vp)
++ goto fail;
+
+- vp->next_variable = NULL;
+- vp->val.string = NULL;
+ vp->name_length = MAX_OID_LEN;
+- vp->name = NULL;
+- vp->index = 0;
+- vp->data = NULL;
+- vp->dataFreeHook = NULL;
+ DEBUGDUMPSECTION("recv", "VarBind");
+ data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
+ &vp->val_len, &var_val, length);
+ if (data == NULL)
+- return -1;
++ goto fail;
+ if (snmp_set_var_objid(vp, objid, vp->name_length))
+- return -1;
++ goto fail;
+
+ len = MAX_PACKET_LENGTH;
+ DEBUGDUMPHEADER("recv", "Value");
+@@ -4604,7 +4589,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
+ vp->val.string = (u_char *) malloc(vp->val_len);
+ }
+ if (vp->val.string == NULL) {
+- return -1;
++ goto fail;
+ }
+ p = asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+ &vp->val_len);
+@@ -4619,7 +4604,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
+ vp->val_len *= sizeof(oid);
+ vp->val.objid = (oid *) malloc(vp->val_len);
+ if (vp->val.objid == NULL) {
+- return -1;
++ goto fail;
+ }
+ memmove(vp->val.objid, objid, vp->val_len);
+ break;
+@@ -4631,7 +4616,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
+ case ASN_BIT_STR:
+ vp->val.bitstring = (u_char *) malloc(vp->val_len);
+ if (vp->val.bitstring == NULL) {
+- return -1;
++ goto fail;
+ }
+ p = asn_parse_bitstring(var_val, &len, &vp->type,
+ vp->val.bitstring, &vp->val_len);
+@@ -4640,12 +4625,28 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
+ break;
+ default:
+ snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
+- badtype = -1;
++ goto fail;
+ break;
+ }
+ DEBUGINDENTADD(-4);
++
++ if (NULL == vplast) {
++ pdu->variables = vp;
++ } else {
++ vplast->next_variable = vp;
++ }
++ vplast = vp;
++ vp = NULL;
+ }
+- return badtype;
++ return 0;
++
++ fail:
++ DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
++ /** if we were parsing a var, remove it from the pdu and free it */
++ if (vp)
++ snmp_free_var(vp);
++
++ return -1;
+ }
+
+ /*
diff --git a/patches/net-snmp-5.7.3/series b/patches/net-snmp-5.7.3/series
index 301e15685..5552fe35a 100644
--- a/patches/net-snmp-5.7.3/series
+++ b/patches/net-snmp-5.7.3/series
@@ -2,7 +2,8 @@
#tag:base --start-number 1
#tag:upstream --start-number 1
0001-configure-Eliminate-the-hard-coded-libnl-3-include-p.patch
+0002-Bug-788964-net-snmp-snmp_pdu_parse-DoS.patch
#tag:ptx --start-number 200
0200-net-snmp-config-add-SYSROOT-support.patch
0201-Don-t-disable-udp-and-tcp-when-disable-agentx-dom-so.patch
-# 196faeb288f32b85724023f20b12de91 - git-ptx-patches magic
+# c5d69c906e0a34815049c84f73590cb2 - git-ptx-patches magic
--
2.12.2
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2017-04-21 20:42 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-21 20:42 [ptxdist] [PATCH 1/7] collectd: add memory, ping and rrdcached plugin Clemens Gruber
2017-04-21 20:42 ` [ptxdist] [PATCH 2/7] collectd: improve systemd service file Clemens Gruber
2017-04-28 12:47 ` Michael Olbrich
2017-04-21 20:42 ` [ptxdist] [PATCH 3/7] collectd: version bump 5.7.0 -> 5.7.1 Clemens Gruber
2017-04-21 20:42 ` [ptxdist] [PATCH 4/7] ethtool: version bump 4.8 -> 4.10 Clemens Gruber
2017-04-21 20:42 ` [ptxdist] [PATCH 5/7] liboping: version bump 1.6.2 -> 1.9.0 Clemens Gruber
2017-04-21 20:42 ` Clemens Gruber [this message]
2017-04-21 20:42 ` [ptxdist] [PATCH 7/7] rrdtool: add systemd unit for rrdcached Clemens Gruber
2017-04-28 12:39 ` Michael Olbrich
2017-04-28 12:46 ` Clemens Gruber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170421204206.31312-6-clemens.gruber@pqgruber.com \
--to=clemens.gruber@pqgruber.com \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox