diff --git a/SOURCES/net-snmp-5.7.2-incomplete-parse.patch b/SOURCES/net-snmp-5.7.2-incomplete-parse.patch
new file mode 100644
index 0000000..42d3788
--- /dev/null
+++ b/SOURCES/net-snmp-5.7.2-incomplete-parse.patch
@@ -0,0 +1,203 @@
+1212408 - net-snmp: snmp_pdu_parse() incompletely parsed varBinds left in list of variables
+1248412 - net-snmp: snmp_pdu_parse() incompletely parsed varBinds left in list of variables [rhel-7.1.z]
+
+Backported from:
+
+commit f23bcd3ac6ddee5d0a48f9703007ccc738914791
+Author: Robert Story <rstory@localhost>
+Date: Sat Apr 11 18:49:02 2015 -0400
+
+ CHANGES: BUG: #2615: Don't return incompletely parsed varbinds
+
+
+diff -up net-snmp-5.5/snmplib/snmp_api.c.incomplete-parse net-snmp-5.5/snmplib/snmp_api.c
+--- net-snmp-5.5/snmplib/snmp_api.c.incomplete-parse 2015-07-30 12:10:31.495801514 +0200
++++ net-snmp-5.5/snmplib/snmp_api.c 2015-07-30 12:11:43.087038548 +0200
+@@ -4508,10 +4508,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+ u_char type;
+ u_char msg_type;
+ u_char *var_val;
+- int badtype = 0;
+ size_t len;
+ size_t four;
+- netsnmp_variable_list *vp = NULL;
++ netsnmp_variable_list *vp = NULL, *vplast = NULL;
+ oid objid[MAX_OID_LEN];
+ u_char *p;
+
+@@ -4647,38 +4646,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+ (ASN_SEQUENCE | ASN_CONSTRUCTOR),
+ "varbinds");
+ if (data == NULL)
+- return -1;
++ goto fail;
+
+ /*
+ * get each varBind sequence
+ */
+ while ((int) *length > 0) {
+- netsnmp_variable_list *vptemp;
+- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
+- if (NULL == vptemp) {
+- return -1;
+- }
+- if (NULL == vp) {
+- pdu->variables = vptemp;
+- } else {
+- vp->next_variable = vptemp;
+- }
+- vp = vptemp;
+-
+- vp->next_variable = NULL;
+- vp->val.string = NULL;
++ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
++ if (NULL == vp)
++ goto fail;
++
+ vp->name_length = MAX_OID_LEN;
+- vp->name = NULL;
+- vp->index = 0;
+- vp->data = NULL;
+- vp->dataFreeHook = NULL;
+ DEBUGDUMPSECTION("recv", "VarBind");
+ data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
+ &vp->val_len, &var_val, length);
+ if (data == NULL)
+- return -1;
++ goto fail;
+ if (snmp_set_var_objid(vp, objid, vp->name_length))
+- return -1;
++ goto fail;
+
+ len = MAX_PACKET_LENGTH;
+ DEBUGDUMPHEADER("recv", "Value");
+@@ -4690,7 +4675,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+ (long *) vp->val.integer,
+ sizeof(*vp->val.integer));
+ if (!p)
+- return -1;
++ goto fail;
+ break;
+ case ASN_COUNTER:
+ case ASN_GAUGE:
+@@ -4702,7 +4687,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+ (u_long *) vp->val.integer,
+ vp->val_len);
+ if (!p)
+- return -1;
++ goto fail;
+ break;
+ #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
+ case ASN_OPAQUE_COUNTER64:
+@@ -4715,7 +4700,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+ (struct counter64 *) vp->val.
+ counter64, vp->val_len);
+ if (!p)
+- return -1;
++ goto fail;
+ break;
+ #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
+ case ASN_OPAQUE_FLOAT:
+@@ -4724,7 +4709,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+ p = asn_parse_float(var_val, &len, &vp->type,
+ vp->val.floatVal, vp->val_len);
+ if (!p)
+- return -1;
++ goto fail;
+ break;
+ case ASN_OPAQUE_DOUBLE:
+ vp->val.doubleVal = (double *) vp->buf;
+@@ -4732,7 +4717,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+ p = asn_parse_double(var_val, &len, &vp->type,
+ vp->val.doubleVal, vp->val_len);
+ if (!p)
+- return -1;
++ goto fail;
+ break;
+ case ASN_OPAQUE_I64:
+ vp->val.counter64 = (struct counter64 *) vp->buf;
+@@ -4742,12 +4727,12 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+ sizeof(*vp->val.counter64));
+
+ if (!p)
+- return -1;
++ goto fail;
+ break;
+ #endif /* NETSNMP_WITH_OPAQUE_SPECIAL_TYPES */
+ case ASN_IPADDRESS:
+ if (vp->val_len != 4)
+- return -1;
++ goto fail;
+ /* fallthrough */
+ case ASN_OCTET_STR:
+ case ASN_OPAQUE:
+@@ -4758,22 +4743,22 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+ vp->val.string = (u_char *) malloc(vp->val_len);
+ }
+ if (vp->val.string == NULL) {
+- return -1;
++ goto fail;
+ }
+ p = asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+ &vp->val_len);
+ if (!p)
+- return -1;
++ goto fail;
+ break;
+ case ASN_OBJECT_ID:
+ vp->val_len = MAX_OID_LEN;
+ p = asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len);
+ if (!p)
+- return -1;
++ goto fail;
+ vp->val_len *= sizeof(oid);
+ vp->val.objid = (oid *) malloc(vp->val_len);
+ if (vp->val.objid == NULL) {
+- return -1;
++ goto fail;
+ }
+ memmove(vp->val.objid, objid, vp->val_len);
+ break;
+@@ -4785,21 +4770,38 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
+ case ASN_BIT_STR:
+ vp->val.bitstring = (u_char *) malloc(vp->val_len);
+ if (vp->val.bitstring == NULL) {
+- return -1;
++ goto fail;
+ }
+ p = asn_parse_bitstring(var_val, &len, &vp->type,
+ vp->val.bitstring, &vp->val_len);
+ if (!p)
+- return -1;
++ goto fail;
+ break;
+ default:
+ snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
+- badtype = -1;
++ goto fail;
+ break;
+ }
+ DEBUGINDENTADD(-4);
++
++ if (NULL == vplast) {
++ pdu->variables = vp;
++ } else {
++ vplast->next_variable = vp;
++ }
++ vplast = vp;
++ vp = NULL;
++
+ }
+- return badtype;
++ return 0;
++
++fail:
++ DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
++ /** if we were parsing a var, remove it from the pdu and free it */
++ if (vp)
++ snmp_free_var(vp);
++
++ return -1;
+ }
+
+ /*
diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec
index fdc9623..b0be614 100644
--- a/SPECS/net-snmp.spec
+++ b/SPECS/net-snmp.spec
@@ -11,7 +11,7 @@
Summary: A collection of SNMP protocol tools and libraries
Name: net-snmp
Version: 5.7.2
-Release: 20%{?dist}
+Release: 20%{?dist}.1
Epoch: 1
License: BSD
@@ -71,6 +71,7 @@ Patch34: net-snmp-5.7.2-hrProcessorLoad-many-cpus.patch
Patch35: net-snmp-5.5-mvfs.patch
Patch36: net-snmp-5.7.2-clientaddr-error-msg.patch
Patch37: net-snmp-5.7.2-proxy-getnext.patch
+Patch38: net-snmp-5.7.2-incomplete-parse.patch
Requires(post): chkconfig
Requires(preun): chkconfig
@@ -260,6 +261,7 @@ The net-snmp-sysvinit package provides SysV init scripts for Net-SNMP daemons.
%patch35 -p1 -b .mvfs
%patch36 -p1 -b .clientaddr-error-msg
%patch37 -p1 -b .proxy-getnext
+%patch38 -p1 -b .incomplete-parse
%ifarch sparc64 s390 s390x
# disable failing test - see https://bugzilla.redhat.com/show_bug.cgi?id=680697
@@ -555,6 +557,9 @@ rm -rf ${RPM_BUILD_ROOT}
%{_initrddir}/snmptrapd
%changelog
+* Thu Jul 30 2015 Jan Safranek <jsafrane@redhat.com> - 1:5.7.2-20.el7_1.1
+- Fixed parsing of invalid variables in incoming packets (#1248412)
+
* Mon Jan 19 2015 Jan Safranek <jsafrane@redhat.com> - 1:5.7.2-20
- Fixed compiler warnings in previous build.