upstream/oracle/userland-gate: comparison components/net-snmp-57/patches/059.21544351.snmp

equal deleted inserted replaced

-:683c5c035a79
+:445e2cf1c845
+This patch fixes a security issue where snmp_pdu_parse() function
+could leave incompletely parsed varBind variables in the list of
+variables. A remote, unauthenticated attacker could exploit this
+flaw to cause a crash or, potentially, execute arbitrary code.
+The vulnerability is fixed in the upsream and below is the link
+to the upstream bug.
+https://sourceforge.net/p/net-snmp/bugs/2615/
+--- a/snmplib/snmp_api.c	Mon Aug  3 03:34:05 2015
++++ b/snmplib/snmp_api.c	Mon Aug  3 03:31:01 2015
+@@ -4270,10 +4270,9 @@
+u_char          type;
+u_char          msg_type;
+u_char         *var_val;
+-    int             badtype = 0;
+size_t          len;
+size_t          four;
+-    netsnmp_variable_list *vp = NULL;
++    netsnmp_variable_list *vp = NULL, *vplast = NULL;
+oid             objid[MAX_OID_LEN];
+/*
+@@ -4486,38 +4486,24 @@
+(ASN_SEQUENCE | ASN_CONSTRUCTOR),
+"varbinds");
+if (data == NULL)
+-        return -1;
++        goto fail;
+/*
+* get each varBind sequence
+*/
+while ((int) *length > 0) {
+-        netsnmp_variable_list *vptemp;
+-        vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
+-        if (NULL == vptemp) {
+-            return -1;
+-        }
+-        if (NULL == vp) {
+-            pdu->variables = vptemp;
+-        } else {
+-            vp->next_variable = vptemp;
+-        }
+-        vp = vptemp;
+-
+-        vp->next_variable = NULL;
+-        vp->val.string = NULL;
++        vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
++        if (NULL == vp)
++            goto fail;
+vp->name_length = MAX_OID_LEN;
+-        vp->name = NULL;
+-        vp->index = 0;
+-        vp->data = NULL;
+-        vp->dataFreeHook = NULL;
++        vp->type = 0;
+DEBUGDUMPSECTION("recv", "VarBind");
+data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
+&vp->val_len, &var_val, length);
+if (data == NULL)
+-            return -1;
++            goto fail;
+if (snmp_set_var_objid(vp, objid, vp->name_length))
+-            return -1;
++            goto fail;
+len = MAX_PACKET_LENGTH;
+DEBUGDUMPHEADER("recv", "Value");
+@@ -4504,7 +4488,7 @@
+vp->val.string = (u_char *) malloc(vp->val_len);
+}
+if (vp->val.string == NULL) {
+-                return -1;
++                goto fail;
+}
+asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+&vp->val_len);
+@@ -4515,7 +4499,7 @@
+vp->val_len *= sizeof(oid);
+vp->val.objid = (oid *) malloc(vp->val_len);
+if (vp->val.objid == NULL) {
+-                return -1;
++                goto fail;
+}
+memmove(vp->val.objid, objid, vp->val_len);
+break;
+@@ -4527,7 +4511,7 @@
+case ASN_BIT_STR:
+vp->val.bitstring = (u_char *) malloc(vp->val_len);
+if (vp->val.bitstring == NULL) {
+-                return -1;
++                goto fail;
+}
+asn_parse_bitstring(var_val, &len, &vp->type,
+vp->val.bitstring, &vp->val_len);
+@@ -4534,12 +4518,25 @@
+break;
+default:
+snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
+-            badtype = -1;
++            goto fail;
+break;
+}
+DEBUGINDENTADD(-4);
++        if (NULL == vplast) {
++            pdu->variables = vp;
++        } else {
++            vplast->next_variable = vp;
++        }
++        vplast = vp;
++        vp = NULL;
+}
+-    return badtype;
++    return 0;
++    fail:
++      DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
++      /** if we were parsing a var, remove it from the pdu and free it */
++      if (vp)
++        snmp_free_var(vp);
++      return -1;
+}
+/*

changeset 5867	445e2cf1c845
parent 4755	dc5e4f992365