21544351 CVE-2015-5621snmp_pdu_parse() incompletely parsed varBinds left in variable list s11u3-sru
authorVishwas Shekarappa Gudiyavar <vishwas.shekarappa.gudiyavar@oracle.com>
Sun, 02 Oct 2016 22:51:02 -0700
branchs11u3-sru
changeset 7019 de736f0de312
parent 7010 7771476ad8a8
child 7022 a132ff51166e
21544351 CVE-2015-5621snmp_pdu_parse() incompletely parsed varBinds left in variable list
components/net-snmp/patches/059.21544351.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/net-snmp/patches/059.21544351.patch	Sun Oct 02 22:51:02 2016 -0700
@@ -0,0 +1,119 @@
+This patch fixes a security issue where snmp_pdu_parse() function 
+could leave incompletely parsed varBind variables in the list of  
+variables. A remote, unauthenticated attacker could exploit this 
+flaw to cause a crash or, potentially, execute arbitrary code.
+The vulnerability is fixed in the upsream and below is the link 
+to the upstream bug.
+https://sourceforge.net/p/net-snmp/bugs/2615/ 
+
+--- net-snmp-5.4.1/snmplib/snmp_api.c	2016-09-20 04:29:08.940393100 -0700
++++ copy_net-snmp-5.4.1/snmplib/snmp_api.c	2016-09-20 04:50:11.450793400 -0700
[email protected]@ -4273,7 +4273,7 @@
+     int             badtype = 0;
+     size_t          len;
+     size_t          four;
+-    netsnmp_variable_list *vp = NULL;
++    netsnmp_variable_list *vp = NULL, *vplast = NULL;
+     oid             objid[MAX_OID_LEN];
+ 
+     /*
[email protected]@ -4408,38 +4408,24 @@
+                               (ASN_SEQUENCE | ASN_CONSTRUCTOR),
+                               "varbinds");
+     if (data == NULL)
+-        return -1;
++	goto fail;
+ 
+     /*
+      * get each varBind sequence 
+      */
+     while ((int) *length > 0) {
+-        netsnmp_variable_list *vptemp;
+-        vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
+-        if (0 == vptemp) {
+-            return -1;
+-        }
+-        if (0 == vp) {
+-            pdu->variables = vptemp;
+-        } else {
+-            vp->next_variable = vptemp;
+-        }
+-        vp = vptemp;
+-
+-        vp->next_variable = NULL;
+-        vp->val.string = NULL;
++	 vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
++        if (NULL == vp)
++            goto fail;
+         vp->name_length = MAX_OID_LEN;
+-        vp->name = 0;
+-        vp->index = 0;
+-        vp->data = 0;
+-        vp->dataFreeHook = 0;
++	 vp->type = 0;
+         DEBUGDUMPSECTION("recv", "VarBind");
+         data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
+                                  &vp->val_len, &var_val, length);
+         if (data == NULL)
+-            return -1;
++		goto fail;
+         if (snmp_set_var_objid(vp, objid, vp->name_length))
+-            return -1;
++		goto fail;
+ 
+         len = MAX_PACKET_LENGTH;
+         DEBUGDUMPHEADER("recv", "Value");
[email protected]@ -4504,7 +4490,7 @@
+                 vp->val.string = (u_char *) malloc(vp->val_len);
+             }
+             if (vp->val.string == NULL) {
+-                return -1;
++		goto fail;
+             }
+             asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+                              &vp->val_len);
[email protected]@ -4515,7 +4501,7 @@
+             vp->val_len *= sizeof(oid);
+             vp->val.objid = (oid *) malloc(vp->val_len);
+             if (vp->val.objid == NULL) {
+-                return -1;
++		goto fail;
+             }
+             memmove(vp->val.objid, objid, vp->val_len);
+             break;
[email protected]@ -4527,19 +4513,32 @@
+         case ASN_BIT_STR:
+             vp->val.bitstring = (u_char *) malloc(vp->val_len);
+             if (vp->val.bitstring == NULL) {
+-                return -1;
++		goto fail;
+             }
+             asn_parse_bitstring(var_val, &len, &vp->type,
+                                 vp->val.bitstring, &vp->val_len);
+             break;
+         default:
+             snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
+-            badtype = -1;
++	    goto fail;
+             break;
+         }
+         DEBUGINDENTADD(-4);
++	 if (NULL == vplast) {
++            pdu->variables = vp;
++        } else {
++            vplast->next_variable = vp;
++        }
++        vplast = vp;
++        vp = NULL;
+     }
+-    return badtype;
++    return 0;
++    fail:
++      DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
++      /** if we were parsing a var, remove it from the pdu and free it */
++      if (vp)
++        snmp_free_var(vp);
++      return -1;
+ }
+ 
+ /*