Fix multiple issues found in net-snmp.

- exit snmpd after snmpd -h command
- fix issues found by coverity scan
- fix issue with flood messages
- fix double free or corruption error when freeing security context
This commit is contained in:
Josef Řídký 2020-04-09 13:33:50 +02:00
parent b0ffa68e22
commit b2ce63191d
6 changed files with 276 additions and 9 deletions

View File

@ -1,14 +1,14 @@
diff -urNp old/agent/mibgroup/host/data_access/swrun.c new/agent/mibgroup/host/data_access/swrun.c diff -urNp old/agent/mibgroup/host/data_access/swrun.c new/agent/mibgroup/host/data_access/swrun.c
--- old/agent/mibgroup/host/data_access/swrun.c 2018-03-26 09:00:39.932335587 +0200 --- old/agent/mibgroup/host/data_access/swrun.c 2017-07-18 09:44:00.626109526 +0200
+++ new/agent/mibgroup/host/data_access/swrun.c 2018-03-26 09:03:00.845876681 +0200 +++ new/agent/mibgroup/host/data_access/swrun.c 2017-07-19 15:27:50.452255836 +0200
@@ -102,7 +102,9 @@ swrun_count_processes_by_name( char *nam @@ -102,6 +102,10 @@ swrun_count_processes_by_name( char *nam
return 0; /* or -1 */ return 0; /* or -1 */
it = CONTAINER_ITERATOR( swrun_container ); it = CONTAINER_ITERATOR( swrun_container );
- while ((entry = (netsnmp_swrun_entry*)ITERATOR_NEXT( it )) != NULL) { + if((entry = (netsnmp_swrun_entry*)ITERATOR_FIRST( it )) != NULL) {
+ for (entry = (netsnmp_swrun_entry*)ITERATOR_FIRST( it ); + if (0 == strcmp( entry->hrSWRunName, name ))
+ entry; + i++;
+ entry = (netsnmp_swrun_entry*)ITERATOR_NEXT( it )) { + }
while ((entry = (netsnmp_swrun_entry*)ITERATOR_NEXT( it )) != NULL) {
if (0 == strcmp( entry->hrSWRunName, name )) if (0 == strcmp( entry->hrSWRunName, name ))
i++; i++;
}

View File

@ -0,0 +1,68 @@
diff -urNp a/agent/mibgroup/disman/event/mteTrigger.c b/agent/mibgroup/disman/event/mteTrigger.c
--- a/agent/mibgroup/disman/event/mteTrigger.c 2018-09-27 10:43:38.722444233 +0200
+++ b/agent/mibgroup/disman/event/mteTrigger.c 2018-09-27 11:01:46.503253963 +0200
@@ -1012,7 +1012,7 @@ mteTrigger_run( unsigned int reg, void *
* Similarly, if no fallEvent is configured,
* there's no point in trying to fire it either.
*/
- if (entry->mteTThRiseEvent[0] != '\0' ) {
+ if (entry->mteTThFallEvent[0] != '\0' ) {
entry->mteTriggerXOwner = entry->mteTThObjOwner;
entry->mteTriggerXObjects = entry->mteTThObjects;
entry->mteTriggerFired = vp1;
@@ -1105,7 +1105,7 @@ mteTrigger_run( unsigned int reg, void *
* Similarly, if no fallEvent is configured,
* there's no point in trying to fire it either.
*/
- if (entry->mteTThDRiseEvent[0] != '\0' ) {
+ if (entry->mteTThDFallEvent[0] != '\0' ) {
entry->mteTriggerXOwner = entry->mteTThObjOwner;
entry->mteTriggerXObjects = entry->mteTThObjects;
entry->mteTriggerFired = vp1;
diff -urNp a/agent/mibgroup/hardware/cpu/cpu_linux.c b/agent/mibgroup/hardware/cpu/cpu_linux.c
--- a/agent/mibgroup/hardware/cpu/cpu_linux.c 2018-09-27 10:43:38.697444449 +0200
+++ b/agent/mibgroup/hardware/cpu/cpu_linux.c 2018-09-27 11:12:07.109024625 +0200
@@ -122,6 +122,7 @@ int netsnmp_cpu_arch_load( netsnmp_cache
bsize = getpagesize()-1;
buff = (char*)malloc(bsize+1);
if (buff == NULL) {
+ close(statfd);
return -1;
}
}
diff -urNp a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c
--- a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c 2018-09-27 10:43:38.711444328 +0200
+++ b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c 2018-09-27 11:16:45.532231535 +0200
@@ -543,15 +543,18 @@ netsnmp_access_ipaddress_extra_prefix_in
status = send (sd, &req, req.nlhdr.nlmsg_len, 0);
if (status < 0) {
snmp_log(LOG_ERR, "could not send netlink request\n");
+ close(sd);
return -1;
}
status = recv (sd, buf, sizeof(buf), 0);
if (status < 0) {
snmp_log (LOG_ERR, "could not recieve netlink request\n");
+ close(sd);
return -1;
}
if (status == 0) {
snmp_log (LOG_ERR, "nothing to read\n");
+ close(sd);
return -1;
}
for (nlmp = (struct nlmsghdr *)buf; status > sizeof(*nlmp); ){
@@ -561,11 +564,13 @@ netsnmp_access_ipaddress_extra_prefix_in
if (req_len < 0 || len > status) {
snmp_log (LOG_ERR, "invalid netlink message\n");
+ close(sd);
return -1;
}
if (!NLMSG_OK (nlmp, status)) {
snmp_log (LOG_ERR, "invalid NLMSG message\n");
+ close(sd);
return -1;
}
rtmp = (struct ifaddrmsg *)NLMSG_DATA(nlmp);

View File

@ -0,0 +1,26 @@
From cd09fd82522861830aaf9d237b26eef5f9ba50d2 Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bvanassche@acm.org>
Date: Wed, 21 Nov 2018 20:47:42 -0800
Subject: [PATCH] MIB-II: Only log once that opening /proc/net/if_inet6 failed
If IPv6 has been disabled (ipv6.disable=1) then opening /proc/net/if_inet6
fails. Only log this once instead of thousand of times a day.
Reported-by: Fif <lefif@users.sourceforge.net>
---
agent/mibgroup/ip-mib/data_access/ipaddress_linux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c
index 5ddead3e0..280575ce3 100644
--- a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c
+++ b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c
@@ -234,7 +234,7 @@ _load_v6(netsnmp_container *container, int idx_offset)
#define PROCFILE "/proc/net/if_inet6"
if (!(in = fopen(PROCFILE, "r"))) {
- snmp_log_perror("ipaddress_linux: could not open " PROCFILE);
+ NETSNMP_LOGONCE((LOG_ERR, "ipaddress_linux: could not open " PROCFILE));
return -2;
}

View File

@ -0,0 +1,146 @@
diff -urNp a/include/net-snmp/library/snmpusm.h b/include/net-snmp/library/snmpusm.h
--- a/include/net-snmp/library/snmpusm.h 2020-03-16 09:54:29.883655600 +0100
+++ b/include/net-snmp/library/snmpusm.h 2020-03-16 09:55:24.142944520 +0100
@@ -43,6 +43,7 @@ extern "C" {
* Structures.
*/
struct usmStateReference {
+ int refcnt;
char *usr_name;
size_t usr_name_length;
u_char *usr_engine_id;
diff -urNp a/snmplib/snmp_client.c b/snmplib/snmp_client.c
--- a/snmplib/snmp_client.c 2020-03-16 09:54:29.892655813 +0100
+++ b/snmplib/snmp_client.c 2020-03-16 09:58:13.214021890 +0100
@@ -402,27 +402,16 @@ _clone_pdu_header(netsnmp_pdu *pdu)
return NULL;
}
- if (pdu->securityStateRef &&
- pdu->command == SNMP_MSG_TRAP2) {
-
- ret = usm_clone_usmStateReference((struct usmStateReference *) pdu->securityStateRef,
- (struct usmStateReference **) &newpdu->securityStateRef );
-
- if (ret)
- {
+ sptr = find_sec_mod(newpdu->securityModel);
+ if (sptr && sptr->pdu_clone) {
+ /* call security model if it needs to know about this */
+ ret = sptr->pdu_clone(pdu, newpdu);
+ if (ret) {
snmp_free_pdu(newpdu);
return NULL;
}
}
- if ((sptr = find_sec_mod(newpdu->securityModel)) != NULL &&
- sptr->pdu_clone != NULL) {
- /*
- * call security model if it needs to know about this
- */
- (*sptr->pdu_clone) (pdu, newpdu);
- }
-
return newpdu;
}
diff -urNp a/snmplib/snmpusm.c b/snmplib/snmpusm.c
--- a/snmplib/snmpusm.c 2020-03-16 09:54:29.894655860 +0100
+++ b/snmplib/snmpusm.c 2020-03-16 10:03:38.870027530 +0100
@@ -285,43 +285,64 @@ free_enginetime_on_shutdown(int majorid,
struct usmStateReference *
usm_malloc_usmStateReference(void)
{
- struct usmStateReference *retval = (struct usmStateReference *)
- calloc(1, sizeof(struct usmStateReference));
+ struct usmStateReference *retval;
+
+ retval = calloc(1, sizeof(struct usmStateReference));
+ if (retval)
+ retval->refcnt = 1;
return retval;
} /* end usm_malloc_usmStateReference() */
+static int
+usm_clone(netsnmp_pdu *pdu, netsnmp_pdu *new_pdu)
+{
+ struct usmStateReference *ref = pdu->securityStateRef;
+ struct usmStateReference **new_ref =
+ (struct usmStateReference **)&new_pdu->securityStateRef;
+ int ret = 0;
+
+ if (!ref)
+ return ret;
+
+ if (pdu->command == SNMP_MSG_TRAP2) {
+ netsnmp_assert(pdu->securityModel == SNMP_DEFAULT_SECMODEL);
+ ret = usm_clone_usmStateReference(ref, new_ref);
+ } else {
+ netsnmp_assert(ref == *new_ref);
+ ref->refcnt++;
+ }
+
+ return ret;
+}
+
void
usm_free_usmStateReference(void *old)
{
- struct usmStateReference *old_ref = (struct usmStateReference *) old;
+ struct usmStateReference *ref = old;
- if (old_ref) {
+ if (!ref)
+ return;
- if (old_ref->usr_name_length)
- SNMP_FREE(old_ref->usr_name);
- if (old_ref->usr_engine_id_length)
- SNMP_FREE(old_ref->usr_engine_id);
- if (old_ref->usr_auth_protocol_length)
- SNMP_FREE(old_ref->usr_auth_protocol);
- if (old_ref->usr_priv_protocol_length)
- SNMP_FREE(old_ref->usr_priv_protocol);
-
- if (old_ref->usr_auth_key_length && old_ref->usr_auth_key) {
- SNMP_ZERO(old_ref->usr_auth_key, old_ref->usr_auth_key_length);
- SNMP_FREE(old_ref->usr_auth_key);
- }
- if (old_ref->usr_priv_key_length && old_ref->usr_priv_key) {
- SNMP_ZERO(old_ref->usr_priv_key, old_ref->usr_priv_key_length);
- SNMP_FREE(old_ref->usr_priv_key);
- }
+ if (--ref->refcnt > 0)
+ return;
- SNMP_ZERO(old_ref, sizeof(*old_ref));
- SNMP_FREE(old_ref);
+ SNMP_FREE(ref->usr_name);
+ SNMP_FREE(ref->usr_engine_id);
+ SNMP_FREE(ref->usr_auth_protocol);
+ SNMP_FREE(ref->usr_priv_protocol);
+ if (ref->usr_auth_key_length && ref->usr_auth_key) {
+ SNMP_ZERO(ref->usr_auth_key, ref->usr_auth_key_length);
+ SNMP_FREE(ref->usr_auth_key);
+ }
+ if (ref->usr_priv_key_length && ref->usr_priv_key) {
+ SNMP_ZERO(ref->usr_priv_key, ref->usr_priv_key_length);
+ SNMP_FREE(ref->usr_priv_key);
}
+ SNMP_FREE(ref);
} /* end usm_free_usmStateReference() */
struct usmUser *
@@ -3316,6 +3337,7 @@ init_usm(void)
def->encode_reverse = usm_secmod_rgenerate_out_msg;
def->encode_forward = usm_secmod_generate_out_msg;
def->decode = usm_secmod_process_in_msg;
+ def->pdu_clone = usm_clone;
def->pdu_free_state_ref = usm_free_usmStateReference;
def->session_setup = usm_session_init;
def->handle_report = usm_handle_report;

View File

@ -0,0 +1,11 @@
diff -urNp a/agent/snmpd.c b/agent/snmpd.c
--- a/agent/snmpd.c 2018-10-04 10:34:10.939728847 +0200
+++ b/agent/snmpd.c 2018-10-04 10:34:43.910625603 +0200
@@ -325,6 +325,7 @@ usage(char *prog)
" -S d|i|0-7\t\tuse -Ls <facility> instead\n"
"\n"
);
+ exit(1);
}
static void

View File

@ -10,7 +10,7 @@
Summary: A collection of SNMP protocol tools and libraries Summary: A collection of SNMP protocol tools and libraries
Name: net-snmp Name: net-snmp
Version: 5.8 Version: 5.8
Release: 18%{?dist} Release: 19%{?dist}
Epoch: 1 Epoch: 1
License: BSD License: BSD
@ -46,6 +46,10 @@ Patch16: net-snmp-5.8-licensing.patch
Patch17: net-snmp-5.8-agent-of-death.patch Patch17: net-snmp-5.8-agent-of-death.patch
Patch18: net-snmp-5.8-trapsink.patch Patch18: net-snmp-5.8-trapsink.patch
Patch19: net-snmp-5.8-v3-forward.patch Patch19: net-snmp-5.8-v3-forward.patch
Patch20: net-snmp-5.8-usage-exit.patch
Patch21: net-snmp-5.8-coverity.patch
Patch22: net-snmp-5.8-flood-messages.patch
Patch23: net-snmp-5.8-sec-counter.patch
# Modern RPM API means at least EL6 # Modern RPM API means at least EL6
Patch101: net-snmp-5.8-modern-rpm-api.patch Patch101: net-snmp-5.8-modern-rpm-api.patch
@ -230,6 +234,12 @@ cp %{SOURCE10} .
%patch17 -p1 -b .agent-of-death %patch17 -p1 -b .agent-of-death
%patch18 -p1 -b .trapsink %patch18 -p1 -b .trapsink
%patch19 -p1 -b .v3-forward %patch19 -p1 -b .v3-forward
%patch20 -p1 -b .usage-fix
%patch21 -p1 -b .coverity
%patch22 -p1 -b .flood-messages
%patch23 -p1 -b .sec-counter
%patch101 -p1 -b .modern-rpm-api %patch101 -p1 -b .modern-rpm-api
%patch102 -p1 %patch102 -p1
@ -497,6 +507,12 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
%{_libdir}/libnetsnmptrapd*.so.%{soname}* %{_libdir}/libnetsnmptrapd*.so.%{soname}*
%changelog %changelog
* Thu Apr 09 2020 Josef Ridky <jridky@redhat.com> -1:5.8-19
- exit snmpd after snmpd -h command
- fix issues found by coverity scan
- fix issue with flood messages
- fix double free or corruption error when freeing security context
* Tue Mar 24 2020 Petr Pisar <ppisar@redhat.com> - 1:5.8-18 * Tue Mar 24 2020 Petr Pisar <ppisar@redhat.com> - 1:5.8-18
- Build-require Perl dependencies for running the tests - Build-require Perl dependencies for running the tests