Resolves: RHEL-121091 - fix use after free issue

Signed-off-by: Josef Ridky <jridky@redhat.com>
2025-10-22 08:55:57 +02:00 · 2025-10-22 08:55:57 +02:00 · 747ea5d516
commit 747ea5d516
parent 5c3ab6409a
2 changed files with 35 additions and 0 deletions
--- a/net-snmp-5.8-callback-fix.patch
+++ b/net-snmp-5.8-callback-fix.patch
@ -0,0 +1,32 @@
+diff -urNp a/snmplib/callback.c b/snmplib/callback.c
+--- a/snmplib/callback.c	2025-08-13 15:21:25.507544080 +0200
+++ b/snmplib/callback.c	2025-08-13 15:25:01.973092935 +0200
+@@ -346,13 +346,17 @@ snmp_call_callbacks(int major, int minor
+     /*
+      * for each registered callback of type major and minor 
+      */
+-    for (scp = thecallbacks[major][minor]; scp != NULL; scp = scp->next) {
+    scp = thecallbacks[major][minor];
+    while (scp != NULL) {
+        struct snmp_gen_callback *scp_next = scp->next;
+ 
+         /*
+          * skip unregistered callbacks
+          */
+-        if(NULL == scp->sc_callback)
+        if(NULL == scp->sc_callback) {
+            scp = scp_next;
+             continue;
+        }
+ 
+         DEBUGMSGTL(("callback", "calling a callback for maj=%d min=%d\n",
+                     major, minor));
+@@ -363,6 +367,8 @@ snmp_call_callbacks(int major, int minor
+         (*(scp->sc_callback)) (major, minor, caller_arg,
+                                scp->sc_client_arg);
+         count++;
+
+        scp = scp_next;
+     }
+ 
+     DEBUGMSGTL(("callback",
--- a/net-snmp.spec
+++ b/net-snmp.spec
@ -61,6 +61,7 @@ Patch31:    net-snmp-5.9-CVE-2022-24805-24810.patch
 Patch32:    net-snmp-5.9.4-kernel-6.7.patch
 Patch33:    net-snmp-5.9-deleted-iface.patch
 Patch34:    net-snmp-5.9.4-revert-n-snmptrapd-log.patch
+Patch35:    net-snmp-5.8-callback-fix.patch

 # Modern RPM API means at least EL6
 Patch101:   net-snmp-5.8-modern-rpm-api.patch
@ -247,6 +248,7 @@ cp %{SOURCE10} .
 %patch32 -p1 -b .kernel-6.7-fix
 %patch33 -p1 -b .iface
 %patch34 -p1 -b .revert-n-snmptrapd-log
+%patch35 -p1 -b .callback-fix

 %patch101 -p1 -b .modern-rpm-api
 %patch102 -p1
@ -518,6 +520,7 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %changelog
 * Wed Oct 22 2025 Josef Ridky <jridky@redhat.com> - 1:5.9.1-18
 - fix inverted usage of -n in snmptrapd (RHEL-101078)
+- fix use after free issue (RHEL-121091)

 * Tue Jul 16 2024 Josef Ridky <jridky@redhat.com> - 1:5.9.1-17
 - fix segfault with error on subcontainer (RHEL-46033)