rpms/net-snmp
8
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: #1552844 - CVE-2018-1000116 Heap corruption in snmp_pdu_parse

Browse Source
This commit is contained in:
Josef Ridky 2018-03-08 09:59:42 +01:00
parent fd2b06be09
commit a99b865945
2 changed files with 206 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

200
net-snmp-5.7.3-CVE-2018-1000116.patch Normal file
View File

@ -0,0 +1,200 @@
diff -urNp old/snmplib/snmp_api.c new/snmplib/snmp_api.c
--- old/snmplib/snmp_api.c 2018-03-08 09:08:50.675762351 +0100
+++ new/snmplib/snmp_api.c 2018-03-08 09:27:13.289076553 +0100
@@ -4350,12 +4350,10 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
u_char type;
u_char msg_type;
u_char *var_val;
- int badtype = 0;
size_t len;
size_t four;
- netsnmp_variable_list *vp = NULL;
+ netsnmp_variable_list *vp = NULL, *vplast = NULL;
oid objid[MAX_OID_LEN];
- u_char *p;
/*
* Get the PDU type
@@ -4493,38 +4491,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
(ASN_SEQUENCE | ASN_CONSTRUCTOR),
"varbinds");
if (data == NULL)
- return -1;
+ goto fail;
/*
* get each varBind sequence
*/
while ((int) *length > 0) {
- netsnmp_variable_list *vptemp;
- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
- if (NULL == vptemp) {
- return -1;
- }
- if (NULL == vp) {
- pdu->variables = vptemp;
- } else {
- vp->next_variable = vptemp;
- }
- vp = vptemp;
+ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
+ if (NULL == vp)
+ goto fail;
- vp->next_variable = NULL;
- vp->val.string = NULL;
vp->name_length = MAX_OID_LEN;
- vp->name = NULL;
- vp->index = 0;
- vp->data = NULL;
- vp->dataFreeHook = NULL;
DEBUGDUMPSECTION("recv", "VarBind");
data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
&vp->val_len, &var_val, length);
if (data == NULL)
- return -1;
+ goto fail;
if (snmp_set_var_objid(vp, objid, vp->name_length))
- return -1;
+ goto fail;
len = MAX_PACKET_LENGTH;
DEBUGDUMPHEADER("recv", "Value");
@@ -4532,11 +4516,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
case ASN_INTEGER:
vp->val.integer = (long *) vp->buf;
vp->val_len = sizeof(long);
- p = asn_parse_int(var_val, &len, &vp->type,
+ asn_parse_int(var_val, &len, &vp->type,
(long *) vp->val.integer,
sizeof(*vp->val.integer));
- if (!p)
- return -1;
break;
case ASN_COUNTER:
case ASN_GAUGE:
@@ -4544,11 +4526,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
case ASN_UINTEGER:
vp->val.integer = (long *) vp->buf;
vp->val_len = sizeof(u_long);
- p = asn_parse_unsigned_int(var_val, &len, &vp->type,
+ asn_parse_unsigned_int(var_val, &len, &vp->type,
(u_long *) vp->val.integer,
vp->val_len);
- if (!p)
- return -1;
break;
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
case ASN_OPAQUE_COUNTER64:
@@ -4557,38 +4537,30 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
case ASN_COUNTER64:
vp->val.counter64 = (struct counter64 *) vp->buf;
vp->val_len = sizeof(struct counter64);
- p = asn_parse_unsigned_int64(var_val, &len, &vp->type,
+ asn_parse_unsigned_int64(var_val, &len, &vp->type,
(struct counter64 *) vp->val.
counter64, vp->val_len);
- if (!p)
- return -1;
break;
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
case ASN_OPAQUE_FLOAT:
vp->val.floatVal = (float *) vp->buf;
vp->val_len = sizeof(float);
- p = asn_parse_float(var_val, &len, &vp->type,
+ asn_parse_float(var_val, &len, &vp->type,
vp->val.floatVal, vp->val_len);
- if (!p)
- return -1;
break;
case ASN_OPAQUE_DOUBLE:
vp->val.doubleVal = (double *) vp->buf;
vp->val_len = sizeof(double);
- p = asn_parse_double(var_val, &len, &vp->type,
+ asn_parse_double(var_val, &len, &vp->type,
vp->val.doubleVal, vp->val_len);
- if (!p)
- return -1;
break;
case ASN_OPAQUE_I64:
vp->val.counter64 = (struct counter64 *) vp->buf;
vp->val_len = sizeof(struct counter64);
- p = asn_parse_signed_int64(var_val, &len, &vp->type,
+ asn_parse_signed_int64(var_val, &len, &vp->type,
(struct counter64 *) vp->val.counter64,
sizeof(*vp->val.counter64));
- if (!p)
- return -1;
break;
#endif /* NETSNMP_WITH_OPAQUE_SPECIAL_TYPES */
case ASN_IPADDRESS:
@@ -4604,22 +4576,18 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
vp->val.string = (u_char *) malloc(vp->val_len);
}
if (vp->val.string == NULL) {
- return -1;
+ goto fail;
}
- p = asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+ asn_parse_string(var_val, &len, &vp->type, vp->val.string,
&vp->val_len);
- if (!p)
- return -1;
break;
case ASN_OBJECT_ID:
vp->val_len = MAX_OID_LEN;
- p = asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len);
- if (!p)
- return -1;
+ asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len);
vp->val_len *= sizeof(oid);
vp->val.objid = (oid *) malloc(vp->val_len);
if (vp->val.objid == NULL) {
- return -1;
+ goto fail;
}
memmove(vp->val.objid, objid, vp->val_len);
break;
@@ -4631,21 +4599,34 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
case ASN_BIT_STR:
vp->val.bitstring = (u_char *) malloc(vp->val_len);
if (vp->val.bitstring == NULL) {
- return -1;
+ goto fail;
}
- p = asn_parse_bitstring(var_val, &len, &vp->type,
+ asn_parse_bitstring(var_val, &len, &vp->type,
vp->val.bitstring, &vp->val_len);
- if (!p)
- return -1;
break;
default:
snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
- badtype = -1;
+ goto fail;
break;
}
DEBUGINDENTADD(-4);
- }
- return badtype;
+ if (NULL == vplast) {
+ pdu->variables = vp;
+ } else {
+ vplast->next_variable = vp;
+ }
+ vplast = vp;
+ vp = NULL;
+ }
+ return 0;
+
+ fail:
+ DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
+ /** if we were parsing a var, remove it from the pdu and free it */
+ if (vp)
+ snmp_free_var(vp);
+
+ return -1;
}
/*

9
net-snmp.spec
View File

@ -1,15 +1,13 @@
# use nestnmp_check 0 to speed up packaging by disabling 'make test'
%{!?netsnmp_check: %global netsnmp_check 1}
# allow compilation on Fedora 11 and older
%{!?python3_sitearch: %global python3_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
# Arches on which we need to prevent arch conflicts on net-snmp-config.h
%global multilib_arches %{ix86} ia64 ppc ppc64 s390 s390x x86_64 sparc sparcv9 sparc64 aarch64
Summary: A collection of SNMP protocol tools and libraries
Name: net-snmp
Version: 5.7.3
Release: 35%{?dist}
Release: 36%{?dist}
Epoch: 1
License: BSD
@ -62,6 +60,7 @@ Patch19: net-snmp-5.7.3-mariadb-connector-c.patch
Patch20: net-snmp-5.7.3-strstr.patch
Patch21: net-snmp-5.7.3-iterator-fix.patch
Patch22: net-snmp-5.7.3-autofs.patch
Patch23: net-snmp-5.7.3-CVE-2018-1000116.patch
# This patch fix issue with new OpenSLL library in rawhide (f26+)
# !!!WARNING!!! DO NOT USE IT FOR OLDER FEDORA RELEASES (>f26)
@ -227,6 +226,7 @@ cp %{SOURCE10} .
%patch20 -p1 -b .strstr
%patch21 -p1 -b .iterator-fix
%patch22 -p1 -b .autofs-skip
%patch23 -p1 -b .CVE-2018-1000116
%patch100 -p1 -b .openssl
%patch101 -p1 -b .modern-rpm-api
%patch102 -p1
@ -494,6 +494,9 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
%{_libdir}/libnetsnmptrapd*.so.*
%changelog
* Thu Mar 08 2018 Josef Ridky <jridky@redhat.com> - 1:5.7.3-36
- CVE-2018-1000116 Heap corruption in snmp_pdu_parse (#1552844)
* Tue Feb 27 2018 Josef Ridky <jridky@redhat.com> - 1:5.7.3-35
- compile against Python3
- add gcc requirement