diff --git a/SOURCES/net-snmp-5.7.2-incomplete-parse.patch b/SOURCES/net-snmp-5.7.2-incomplete-parse.patch new file mode 100644 index 0000000..42d3788 --- /dev/null +++ b/SOURCES/net-snmp-5.7.2-incomplete-parse.patch @@ -0,0 +1,203 @@ +1212408 - net-snmp: snmp_pdu_parse() incompletely parsed varBinds left in list of variables +1248412 - net-snmp: snmp_pdu_parse() incompletely parsed varBinds left in list of variables [rhel-7.1.z] + +Backported from: + +commit f23bcd3ac6ddee5d0a48f9703007ccc738914791 +Author: Robert Story +Date: Sat Apr 11 18:49:02 2015 -0400 + + CHANGES: BUG: #2615: Don't return incompletely parsed varbinds + + +diff -up net-snmp-5.5/snmplib/snmp_api.c.incomplete-parse net-snmp-5.5/snmplib/snmp_api.c +--- net-snmp-5.5/snmplib/snmp_api.c.incomplete-parse 2015-07-30 12:10:31.495801514 +0200 ++++ net-snmp-5.5/snmplib/snmp_api.c 2015-07-30 12:11:43.087038548 +0200 +@@ -4508,10 +4508,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + u_char type; + u_char msg_type; + u_char *var_val; +- int badtype = 0; + size_t len; + size_t four; +- netsnmp_variable_list *vp = NULL; ++ netsnmp_variable_list *vp = NULL, *vplast = NULL; + oid objid[MAX_OID_LEN]; + u_char *p; + +@@ -4647,38 +4646,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + (ASN_SEQUENCE | ASN_CONSTRUCTOR), + "varbinds"); + if (data == NULL) +- return -1; ++ goto fail; + + /* + * get each varBind sequence + */ + while ((int) *length > 0) { +- netsnmp_variable_list *vptemp; +- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp)); +- if (NULL == vptemp) { +- return -1; +- } +- if (NULL == vp) { +- pdu->variables = vptemp; +- } else { +- vp->next_variable = vptemp; +- } +- vp = vptemp; +- +- vp->next_variable = NULL; +- vp->val.string = NULL; ++ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list); ++ if (NULL == vp) ++ goto fail; ++ + vp->name_length = MAX_OID_LEN; +- vp->name = NULL; +- vp->index = 0; +- vp->data = NULL; +- vp->dataFreeHook = NULL; + DEBUGDUMPSECTION("recv", "VarBind"); + data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type, + &vp->val_len, &var_val, length); + if (data == NULL) +- return -1; ++ goto fail; + if (snmp_set_var_objid(vp, objid, vp->name_length)) +- return -1; ++ goto fail; + + len = MAX_PACKET_LENGTH; + DEBUGDUMPHEADER("recv", "Value"); +@@ -4690,7 +4675,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + (long *) vp->val.integer, + sizeof(*vp->val.integer)); + if (!p) +- return -1; ++ goto fail; + break; + case ASN_COUNTER: + case ASN_GAUGE: +@@ -4702,7 +4687,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + (u_long *) vp->val.integer, + vp->val_len); + if (!p) +- return -1; ++ goto fail; + break; + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_COUNTER64: +@@ -4715,7 +4700,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + (struct counter64 *) vp->val. + counter64, vp->val_len); + if (!p) +- return -1; ++ goto fail; + break; + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_FLOAT: +@@ -4724,7 +4709,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + p = asn_parse_float(var_val, &len, &vp->type, + vp->val.floatVal, vp->val_len); + if (!p) +- return -1; ++ goto fail; + break; + case ASN_OPAQUE_DOUBLE: + vp->val.doubleVal = (double *) vp->buf; +@@ -4732,7 +4717,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + p = asn_parse_double(var_val, &len, &vp->type, + vp->val.doubleVal, vp->val_len); + if (!p) +- return -1; ++ goto fail; + break; + case ASN_OPAQUE_I64: + vp->val.counter64 = (struct counter64 *) vp->buf; +@@ -4742,12 +4727,12 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + sizeof(*vp->val.counter64)); + + if (!p) +- return -1; ++ goto fail; + break; + #endif /* NETSNMP_WITH_OPAQUE_SPECIAL_TYPES */ + case ASN_IPADDRESS: + if (vp->val_len != 4) +- return -1; ++ goto fail; + /* fallthrough */ + case ASN_OCTET_STR: + case ASN_OPAQUE: +@@ -4758,22 +4743,22 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + vp->val.string = (u_char *) malloc(vp->val_len); + } + if (vp->val.string == NULL) { +- return -1; ++ goto fail; + } + p = asn_parse_string(var_val, &len, &vp->type, vp->val.string, + &vp->val_len); + if (!p) +- return -1; ++ goto fail; + break; + case ASN_OBJECT_ID: + vp->val_len = MAX_OID_LEN; + p = asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len); + if (!p) +- return -1; ++ goto fail; + vp->val_len *= sizeof(oid); + vp->val.objid = (oid *) malloc(vp->val_len); + if (vp->val.objid == NULL) { +- return -1; ++ goto fail; + } + memmove(vp->val.objid, objid, vp->val_len); + break; +@@ -4785,21 +4770,38 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char + case ASN_BIT_STR: + vp->val.bitstring = (u_char *) malloc(vp->val_len); + if (vp->val.bitstring == NULL) { +- return -1; ++ goto fail; + } + p = asn_parse_bitstring(var_val, &len, &vp->type, + vp->val.bitstring, &vp->val_len); + if (!p) +- return -1; ++ goto fail; + break; + default: + snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type); +- badtype = -1; ++ goto fail; + break; + } + DEBUGINDENTADD(-4); ++ ++ if (NULL == vplast) { ++ pdu->variables = vp; ++ } else { ++ vplast->next_variable = vp; ++ } ++ vplast = vp; ++ vp = NULL; ++ + } +- return badtype; ++ return 0; ++ ++fail: ++ DEBUGMSGTL(("recv", "error while parsing VarBindList\n")); ++ /** if we were parsing a var, remove it from the pdu and free it */ ++ if (vp) ++ snmp_free_var(vp); ++ ++ return -1; + } + + /* diff --git a/SPECS/net-snmp.spec b/SPECS/net-snmp.spec index fdc9623..b0be614 100644 --- a/SPECS/net-snmp.spec +++ b/SPECS/net-snmp.spec @@ -11,7 +11,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.7.2 -Release: 20%{?dist} +Release: 20%{?dist}.1 Epoch: 1 License: BSD @@ -71,6 +71,7 @@ Patch34: net-snmp-5.7.2-hrProcessorLoad-many-cpus.patch Patch35: net-snmp-5.5-mvfs.patch Patch36: net-snmp-5.7.2-clientaddr-error-msg.patch Patch37: net-snmp-5.7.2-proxy-getnext.patch +Patch38: net-snmp-5.7.2-incomplete-parse.patch Requires(post): chkconfig Requires(preun): chkconfig @@ -260,6 +261,7 @@ The net-snmp-sysvinit package provides SysV init scripts for Net-SNMP daemons. %patch35 -p1 -b .mvfs %patch36 -p1 -b .clientaddr-error-msg %patch37 -p1 -b .proxy-getnext +%patch38 -p1 -b .incomplete-parse %ifarch sparc64 s390 s390x # disable failing test - see https://bugzilla.redhat.com/show_bug.cgi?id=680697 @@ -555,6 +557,9 @@ rm -rf ${RPM_BUILD_ROOT} %{_initrddir}/snmptrapd %changelog +* Thu Jul 30 2015 Jan Safranek - 1:5.7.2-20.el7_1.1 +- Fixed parsing of invalid variables in incoming packets (#1248412) + * Mon Jan 19 2015 Jan Safranek - 1:5.7.2-20 - Fixed compiler warnings in previous build.