Blame SOURCES/net-snmp-5.7.2-icmp-mib.patch

71d9c0
1072092 - net-snmp: denial of service flaw in Linux implementation of ICMP-MIB
71d9c0
71d9c0
commit 8407b6ce46ca7159b3c816d1024e20a53f9a1c6c
71d9c0
Author: Wes Hardaker <hardaker@users.sourceforge.net>
71d9c0
Date:   Wed Feb 19 15:21:57 2014 -0800
71d9c0
71d9c0
    bug fix from fenner: fix ICMP mib table handling on linux
71d9c0
71d9c0
diff --git a/agent/mibgroup/mibII/icmp.c b/agent/mibgroup/mibII/icmp.c
71d9c0
index 14c73a6..6d10426 100644
71d9c0
--- a/agent/mibgroup/mibII/icmp.c
71d9c0
+++ b/agent/mibgroup/mibII/icmp.c
71d9c0
@@ -106,10 +106,20 @@ struct icmp_msg_stats_table_entry {
71d9c0
         int flags;
71d9c0
 };
71d9c0
 
71d9c0
+#ifdef linux
71d9c0
+/* Linux keeps track of all possible message types */
71d9c0
+#define ICMP_MSG_STATS_IPV4_COUNT 256
71d9c0
+#else
71d9c0
 #define ICMP_MSG_STATS_IPV4_COUNT 11
71d9c0
+#endif
71d9c0
 
71d9c0
 #ifdef NETSNMP_ENABLE_IPV6
71d9c0
+#ifdef linux
71d9c0
+/* Linux keeps track of all possible message types */
71d9c0
+#define ICMP_MSG_STATS_IPV6_COUNT 256
71d9c0
+#else
71d9c0
 #define ICMP_MSG_STATS_IPV6_COUNT 14
71d9c0
+#endif
71d9c0
 #else
71d9c0
 #define ICMP_MSG_STATS_IPV6_COUNT 0
71d9c0
 #endif /* NETSNMP_ENABLE_IPV6 */
71d9c0
@@ -177,7 +187,7 @@ icmp_msg_stats_load(netsnmp_cache *cache, void *vmagic)
71d9c0
     inc = 0;
71d9c0
     linux_read_icmp_msg_stat(&v4icmp, &v4icmpmsg, &flag;;
71d9c0
     if (flag) {
71d9c0
-        while (254 != k) {
71d9c0
+        while (255 >= k) {
71d9c0
             if (v4icmpmsg.vals[k].InType) {
71d9c0
                 icmp_msg_stats_table[i].ipVer = 1;
71d9c0
                 icmp_msg_stats_table[i].icmpMsgStatsType = k;
71d9c0
@@ -267,7 +277,7 @@ icmp_msg_stats_load(netsnmp_cache *cache, void *vmagic)
71d9c0
     inc = 0;
71d9c0
     linux_read_icmp6_msg_stat(&v6icmp, &v6icmpmsg, &flag;;
71d9c0
     if (flag) {
71d9c0
-        while (254 != k) {
71d9c0
+        while (255 >= k) {
71d9c0
             if (v6icmpmsg.vals[k].InType) {
71d9c0
                 icmp_msg_stats_table[i].ipVer = 2;
71d9c0
                 icmp_msg_stats_table[i].icmpMsgStatsType = k;
71d9c0
@@ -1050,6 +1060,12 @@ icmp_stats_table_handler(netsnmp_mib_handler  *handler,
71d9c0
 					continue;
71d9c0
 				table_info = netsnmp_extract_table_info(request);
71d9c0
 				subid      = table_info->colnum;
71d9c0
+				DEBUGMSGTL(( "mibII/icmpStatsTable", "oid: " ));
71d9c0
+				DEBUGMSGOID(( "mibII/icmpStatsTable", request->requestvb->name,
71d9c0
+						 request->requestvb->name_length ));
71d9c0
+				DEBUGMSG(( "mibII/icmpStatsTable", " In %d InErr %d Out %d OutErr %d\n",
71d9c0
+					      entry->icmpStatsInMsgs, entry->icmpStatsInErrors,
71d9c0
+					      entry->icmpStatsOutMsgs, entry->icmpStatsOutErrors ));
71d9c0
 
71d9c0
 				switch (subid) {
71d9c0
 					case ICMP_STAT_INMSG:
71d9c0
@@ -1117,6 +1133,11 @@ icmp_msg_stats_table_handler(netsnmp_mib_handler          *handler,
71d9c0
                     continue;
71d9c0
                 table_info = netsnmp_extract_table_info(request);
71d9c0
                 subid = table_info->colnum;
71d9c0
+                DEBUGMSGTL(( "mibII/icmpMsgStatsTable", "oid: " ));
71d9c0
+                DEBUGMSGOID(( "mibII/icmpMsgStatsTable", request->requestvb->name,
71d9c0
+                                 request->requestvb->name_length ));
71d9c0
+                DEBUGMSG(( "mibII/icmpMsgStatsTable", " In %d Out %d Flags 0x%x\n",
71d9c0
+                                 entry->icmpMsgStatsInPkts, entry->icmpMsgStatsOutPkts, entry->flags ));
71d9c0
 
71d9c0
                 switch (subid) {
71d9c0
                     case ICMP_MSG_STAT_IN_PKTS:
71d9c0
diff --git a/agent/mibgroup/mibII/kernel_linux.c b/agent/mibgroup/mibII/kernel_linux.c
71d9c0
index b21a166..ba320c7 100644
71d9c0
--- a/agent/mibgroup/mibII/kernel_linux.c
71d9c0
+++ b/agent/mibgroup/mibII/kernel_linux.c
71d9c0
@@ -81,9 +81,9 @@ decode_icmp_msg(char *line, char *data, struct icmp4_msg_mib *msg)
71d9c0
             index = strtol(token, &delim, 0);
71d9c0
             if (ERANGE == errno) {
71d9c0
                 continue;
71d9c0
-            } else if (index > LONG_MAX) {
71d9c0
+            } else if (index > 255) {
71d9c0
                 continue;
71d9c0
-            } else if (index < LONG_MIN) {
71d9c0
+            } else if (index < 0) {
71d9c0
                 continue;
71d9c0
             }
71d9c0
             if (NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
71d9c0
@@ -94,9 +94,9 @@ decode_icmp_msg(char *line, char *data, struct icmp4_msg_mib *msg)
71d9c0
             index = strtol(token, &delim, 0);
71d9c0
             if (ERANGE == errno) {
71d9c0
                 continue;
71d9c0
-            } else if (index > LONG_MAX) {
71d9c0
+            } else if (index > 255) {
71d9c0
                 continue;
71d9c0
-            } else if (index < LONG_MIN) {
71d9c0
+            } else if (index < 0) {
71d9c0
                 continue;
71d9c0
             }
71d9c0
             if(NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
71d9c0
@@ -426,14 +426,21 @@ linux_read_icmp6_parse(struct icmp6_mib *icmp6stat,
71d9c0
 
71d9c0
         vals = name;
71d9c0
         if (NULL != icmp6msgstat) {
71d9c0
+            int type;
71d9c0
             if (0 == strncmp(name, "Icmp6OutType", 12)) {
71d9c0
                 strsep(&vals, "e");
71d9c0
-                icmp6msgstat->vals[atoi(vals)].OutType = stats;
71d9c0
+                type = atoi(vals);
71d9c0
+                if ( type < 0 || type > 255 )
71d9c0
+                    continue;
71d9c0
+                icmp6msgstat->vals[type].OutType = stats;
71d9c0
                 *support = 1;
71d9c0
                 continue;
71d9c0
             } else if (0 == strncmp(name, "Icmp6InType", 11)) {
71d9c0
                 strsep(&vals, "e");
71d9c0
-                icmp6msgstat->vals[atoi(vals)].InType = stats;
71d9c0
+                type = atoi(vals);
71d9c0
+                if ( type < 0 || type > 255 )
71d9c0
+                    continue;
71d9c0
+                icmp6msgstat->vals[type].InType = stats;
71d9c0
                 *support = 1;
71d9c0
                 continue;
71d9c0
             }
71d9c0
diff --git a/agent/mibgroup/mibII/kernel_linux.h b/agent/mibgroup/mibII/kernel_linux.h
71d9c0
index 6bf5d47..c6dfca9 100644
71d9c0
--- a/agent/mibgroup/mibII/kernel_linux.h
71d9c0
+++ b/agent/mibgroup/mibII/kernel_linux.h
71d9c0
@@ -121,11 +121,11 @@ struct icmp_msg_mib {
71d9c0
 
71d9c0
 /* Lets use wrapper structures for future expansion */
71d9c0
 struct icmp4_msg_mib {
71d9c0
-    struct icmp_msg_mib vals[255];
71d9c0
+    struct icmp_msg_mib vals[256];
71d9c0
 };
71d9c0
 
71d9c0
 struct icmp6_msg_mib {
71d9c0
-    struct icmp_msg_mib vals[255];
71d9c0
+    struct icmp_msg_mib vals[256];
71d9c0
 };
71d9c0
 
71d9c0
 struct udp_mib {