Blob Blame History Raw
953926 - snmptrapd crash "buffer overflow detected" at fortify_fail.c

commit 40938a62619590b4ea071ae85baa2f42a0b7fcb2
Author: Jan Safranek <jsafranek@users.sourceforge.net>
Date:   Mon Apr 22 15:00:00 2013 +0200

    Check if 'asn_parse_* ' actually succeeded.
    
    If not, discard the packet instead of using wrong data.

diff --git a/snmplib/snmp_api.c b/snmplib/snmp_api.c
index e5c45d9..0842842 100644
--- a/snmplib/snmp_api.c
+++ b/snmplib/snmp_api.c
@@ -4709,9 +4709,11 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
         case ASN_INTEGER:
             vp->val.integer = (long *) vp->buf;
             vp->val_len = sizeof(long);
-            asn_parse_int(var_val, &len, &vp->type,
+            data = asn_parse_int(var_val, &len, &vp->type,
                           (long *) vp->val.integer,
                           sizeof(*vp->val.integer));
+            if (!data)
+                return -1;
             break;
         case ASN_COUNTER:
         case ASN_GAUGE:
@@ -4719,9 +4721,11 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
         case ASN_UINTEGER:
             vp->val.integer = (long *) vp->buf;
             vp->val_len = sizeof(u_long);
-            asn_parse_unsigned_int(var_val, &len, &vp->type,
+            data = asn_parse_unsigned_int(var_val, &len, &vp->type,
                                    (u_long *) vp->val.integer,
                                    vp->val_len);
+            if (!data)
+                return -1;
             break;
 #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
         case ASN_OPAQUE_COUNTER64:
@@ -4730,34 +4734,45 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
         case ASN_COUNTER64:
             vp->val.counter64 = (struct counter64 *) vp->buf;
             vp->val_len = sizeof(struct counter64);
-            asn_parse_unsigned_int64(var_val, &len, &vp->type,
+            data = asn_parse_unsigned_int64(var_val, &len, &vp->type,
                                      (struct counter64 *) vp->val.
                                      counter64, vp->val_len);
+            if (!data)
+                return -1;
             break;
 #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
         case ASN_OPAQUE_FLOAT:
             vp->val.floatVal = (float *) vp->buf;
             vp->val_len = sizeof(float);
-            asn_parse_float(var_val, &len, &vp->type,
+            data = asn_parse_float(var_val, &len, &vp->type,
                             vp->val.floatVal, vp->val_len);
+            if (!data)
+                return -1;
             break;
         case ASN_OPAQUE_DOUBLE:
             vp->val.doubleVal = (double *) vp->buf;
             vp->val_len = sizeof(double);
-            asn_parse_double(var_val, &len, &vp->type,
+            data = asn_parse_double(var_val, &len, &vp->type,
                              vp->val.doubleVal, vp->val_len);
+            if (!data)
+                return -1;
             break;
         case ASN_OPAQUE_I64:
             vp->val.counter64 = (struct counter64 *) vp->buf;
             vp->val_len = sizeof(struct counter64);
-            asn_parse_signed_int64(var_val, &len, &vp->type,
+            data = asn_parse_signed_int64(var_val, &len, &vp->type,
                                    (struct counter64 *) vp->val.counter64,
                                    sizeof(*vp->val.counter64));
 
+            if (!data)
+                return -1;
             break;
 #endif                          /* NETSNMP_WITH_OPAQUE_SPECIAL_TYPES */
-        case ASN_OCTET_STR:
         case ASN_IPADDRESS:
+            if (vp->val_len != 4)
+                return -1;
+            /* fallthrough */
+        case ASN_OCTET_STR:
         case ASN_OPAQUE:
         case ASN_NSAP:
             if (vp->val_len < sizeof(vp->buf)) {
@@ -4768,12 +4783,16 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
             if (vp->val.string == NULL) {
                 return -1;
             }
-            asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+            data = asn_parse_string(var_val, &len, &vp->type, vp->val.string,
                              &vp->val_len);
+            if (!data)
+                return -1;
             break;
         case ASN_OBJECT_ID:
             vp->val_len = MAX_OID_LEN;
-            asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len);
+            data = asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len);
+            if (!data)
+                return -1;
             vp->val_len *= sizeof(oid);
             vp->val.objid = (oid *) malloc(vp->val_len);
             if (vp->val.objid == NULL) {
@@ -4791,8 +4810,10 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
             if (vp->val.bitstring == NULL) {
                 return -1;
             }
-            asn_parse_bitstring(var_val, &len, &vp->type,
+            data = asn_parse_bitstring(var_val, &len, &vp->type,
                                 vp->val.bitstring, &vp->val_len);
+            if (!data)
+                return -1;
             break;
         default:
             snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);

commit aa4fb949012d7c022a436992ac203c065fd7420a
Author: Jan Safranek <jsafranek@users.sourceforge.net>
Date:   Mon Apr 22 14:58:41 2013 +0200

    Integer values encoded in BER must have at least one character.
    
    If asn_length == 0, we would read the first byte of the next varbind on next line:
        if (*bufp & 0x80)
    -> reading past the buffer if there is no such variable -> sigsegv.

diff --git a/snmplib/asn1.c b/snmplib/asn1.c
index 1af7787..5de6b75 100644
--- a/snmplib/asn1.c
+++ b/snmplib/asn1.c
@@ -510,7 +510,7 @@ asn_parse_int(u_char * data,
         (errpre, bufp, data, asn_length, *datalength))
         return NULL;
 
-    if ((size_t) asn_length > intsize) {
+    if ((size_t) asn_length > intsize || (int) asn_length == 0) {
         _asn_length_err(errpre, (size_t) asn_length, intsize);
         return NULL;
     }
@@ -582,7 +582,7 @@ asn_parse_unsigned_int(u_char * data,
         (errpre, bufp, data, asn_length, *datalength))
         return NULL;
 
-    if ((asn_length > (intsize + 1)) ||
+    if (((int) asn_length > (intsize + 1)) || ((int) asn_length == 0) ||
         ((asn_length == intsize + 1) && *bufp != 0x00)) {
         _asn_length_err(errpre, (size_t) asn_length, intsize);
         return NULL;