21544351 CVE-2015-5621snmp_pdu_parse() incompletely parsed varBinds left in variable list
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/net-snmp/patches/059.21544351.patch Sun Oct 02 22:51:02 2016 -0700
@@ -0,0 +1,119 @@
+This patch fixes a security issue where snmp_pdu_parse() function
+could leave incompletely parsed varBind variables in the list of
+variables. A remote, unauthenticated attacker could exploit this
+flaw to cause a crash or, potentially, execute arbitrary code.
+The vulnerability is fixed in the upsream and below is the link
+to the upstream bug.
+https://sourceforge.net/p/net-snmp/bugs/2615/
+
+--- net-snmp-5.4.1/snmplib/snmp_api.c 2016-09-20 04:29:08.940393100 -0700
++++ copy_net-snmp-5.4.1/snmplib/snmp_api.c 2016-09-20 04:50:11.450793400 -0700
+@@ -4273,7 +4273,7 @@
+ int badtype = 0;
+ size_t len;
+ size_t four;
+- netsnmp_variable_list *vp = NULL;
++ netsnmp_variable_list *vp = NULL, *vplast = NULL;
+ oid objid[MAX_OID_LEN];
+
+ /*
+@@ -4408,38 +4408,24 @@
+ (ASN_SEQUENCE | ASN_CONSTRUCTOR),
+ "varbinds");
+ if (data == NULL)
+- return -1;
++ goto fail;
+
+ /*
+ * get each varBind sequence
+ */
+ while ((int) *length > 0) {
+- netsnmp_variable_list *vptemp;
+- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
+- if (0 == vptemp) {
+- return -1;
+- }
+- if (0 == vp) {
+- pdu->variables = vptemp;
+- } else {
+- vp->next_variable = vptemp;
+- }
+- vp = vptemp;
+-
+- vp->next_variable = NULL;
+- vp->val.string = NULL;
++ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
++ if (NULL == vp)
++ goto fail;
+ vp->name_length = MAX_OID_LEN;
+- vp->name = 0;
+- vp->index = 0;
+- vp->data = 0;
+- vp->dataFreeHook = 0;
++ vp->type = 0;
+ DEBUGDUMPSECTION("recv", "VarBind");
+ data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
+ &vp->val_len, &var_val, length);
+ if (data == NULL)
+- return -1;
++ goto fail;
+ if (snmp_set_var_objid(vp, objid, vp->name_length))
+- return -1;
++ goto fail;
+
+ len = MAX_PACKET_LENGTH;
+ DEBUGDUMPHEADER("recv", "Value");
+@@ -4504,7 +4490,7 @@
+ vp->val.string = (u_char *) malloc(vp->val_len);
+ }
+ if (vp->val.string == NULL) {
+- return -1;
++ goto fail;
+ }
+ asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+ &vp->val_len);
+@@ -4515,7 +4501,7 @@
+ vp->val_len *= sizeof(oid);
+ vp->val.objid = (oid *) malloc(vp->val_len);
+ if (vp->val.objid == NULL) {
+- return -1;
++ goto fail;
+ }
+ memmove(vp->val.objid, objid, vp->val_len);
+ break;
+@@ -4527,19 +4513,32 @@
+ case ASN_BIT_STR:
+ vp->val.bitstring = (u_char *) malloc(vp->val_len);
+ if (vp->val.bitstring == NULL) {
+- return -1;
++ goto fail;
+ }
+ asn_parse_bitstring(var_val, &len, &vp->type,
+ vp->val.bitstring, &vp->val_len);
+ break;
+ default:
+ snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
+- badtype = -1;
++ goto fail;
+ break;
+ }
+ DEBUGINDENTADD(-4);
++ if (NULL == vplast) {
++ pdu->variables = vp;
++ } else {
++ vplast->next_variable = vp;
++ }
++ vplast = vp;
++ vp = NULL;
+ }
+- return badtype;
++ return 0;
++ fail:
++ DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
++ /** if we were parsing a var, remove it from the pdu and free it */
++ if (vp)
++ snmp_free_var(vp);
++ return -1;
+ }
+
+ /*