b2ce63191d
- exit snmpd after snmpd -h command - fix issues found by coverity scan - fix issue with flood messages - fix double free or corruption error when freeing security context
147 lines
4.8 KiB
Diff
147 lines
4.8 KiB
Diff
diff -urNp a/include/net-snmp/library/snmpusm.h b/include/net-snmp/library/snmpusm.h
|
|
--- a/include/net-snmp/library/snmpusm.h 2020-03-16 09:54:29.883655600 +0100
|
|
+++ b/include/net-snmp/library/snmpusm.h 2020-03-16 09:55:24.142944520 +0100
|
|
@@ -43,6 +43,7 @@ extern "C" {
|
|
* Structures.
|
|
*/
|
|
struct usmStateReference {
|
|
+ int refcnt;
|
|
char *usr_name;
|
|
size_t usr_name_length;
|
|
u_char *usr_engine_id;
|
|
diff -urNp a/snmplib/snmp_client.c b/snmplib/snmp_client.c
|
|
--- a/snmplib/snmp_client.c 2020-03-16 09:54:29.892655813 +0100
|
|
+++ b/snmplib/snmp_client.c 2020-03-16 09:58:13.214021890 +0100
|
|
@@ -402,27 +402,16 @@ _clone_pdu_header(netsnmp_pdu *pdu)
|
|
return NULL;
|
|
}
|
|
|
|
- if (pdu->securityStateRef &&
|
|
- pdu->command == SNMP_MSG_TRAP2) {
|
|
-
|
|
- ret = usm_clone_usmStateReference((struct usmStateReference *) pdu->securityStateRef,
|
|
- (struct usmStateReference **) &newpdu->securityStateRef );
|
|
-
|
|
- if (ret)
|
|
- {
|
|
+ sptr = find_sec_mod(newpdu->securityModel);
|
|
+ if (sptr && sptr->pdu_clone) {
|
|
+ /* call security model if it needs to know about this */
|
|
+ ret = sptr->pdu_clone(pdu, newpdu);
|
|
+ if (ret) {
|
|
snmp_free_pdu(newpdu);
|
|
return NULL;
|
|
}
|
|
}
|
|
|
|
- if ((sptr = find_sec_mod(newpdu->securityModel)) != NULL &&
|
|
- sptr->pdu_clone != NULL) {
|
|
- /*
|
|
- * call security model if it needs to know about this
|
|
- */
|
|
- (*sptr->pdu_clone) (pdu, newpdu);
|
|
- }
|
|
-
|
|
return newpdu;
|
|
}
|
|
|
|
diff -urNp a/snmplib/snmpusm.c b/snmplib/snmpusm.c
|
|
--- a/snmplib/snmpusm.c 2020-03-16 09:54:29.894655860 +0100
|
|
+++ b/snmplib/snmpusm.c 2020-03-16 10:03:38.870027530 +0100
|
|
@@ -285,43 +285,64 @@ free_enginetime_on_shutdown(int majorid,
|
|
struct usmStateReference *
|
|
usm_malloc_usmStateReference(void)
|
|
{
|
|
- struct usmStateReference *retval = (struct usmStateReference *)
|
|
- calloc(1, sizeof(struct usmStateReference));
|
|
+ struct usmStateReference *retval;
|
|
+
|
|
+ retval = calloc(1, sizeof(struct usmStateReference));
|
|
+ if (retval)
|
|
+ retval->refcnt = 1;
|
|
|
|
return retval;
|
|
} /* end usm_malloc_usmStateReference() */
|
|
|
|
+static int
|
|
+usm_clone(netsnmp_pdu *pdu, netsnmp_pdu *new_pdu)
|
|
+{
|
|
+ struct usmStateReference *ref = pdu->securityStateRef;
|
|
+ struct usmStateReference **new_ref =
|
|
+ (struct usmStateReference **)&new_pdu->securityStateRef;
|
|
+ int ret = 0;
|
|
+
|
|
+ if (!ref)
|
|
+ return ret;
|
|
+
|
|
+ if (pdu->command == SNMP_MSG_TRAP2) {
|
|
+ netsnmp_assert(pdu->securityModel == SNMP_DEFAULT_SECMODEL);
|
|
+ ret = usm_clone_usmStateReference(ref, new_ref);
|
|
+ } else {
|
|
+ netsnmp_assert(ref == *new_ref);
|
|
+ ref->refcnt++;
|
|
+ }
|
|
+
|
|
+ return ret;
|
|
+}
|
|
+
|
|
|
|
void
|
|
usm_free_usmStateReference(void *old)
|
|
{
|
|
- struct usmStateReference *old_ref = (struct usmStateReference *) old;
|
|
+ struct usmStateReference *ref = old;
|
|
|
|
- if (old_ref) {
|
|
+ if (!ref)
|
|
+ return;
|
|
|
|
- if (old_ref->usr_name_length)
|
|
- SNMP_FREE(old_ref->usr_name);
|
|
- if (old_ref->usr_engine_id_length)
|
|
- SNMP_FREE(old_ref->usr_engine_id);
|
|
- if (old_ref->usr_auth_protocol_length)
|
|
- SNMP_FREE(old_ref->usr_auth_protocol);
|
|
- if (old_ref->usr_priv_protocol_length)
|
|
- SNMP_FREE(old_ref->usr_priv_protocol);
|
|
-
|
|
- if (old_ref->usr_auth_key_length && old_ref->usr_auth_key) {
|
|
- SNMP_ZERO(old_ref->usr_auth_key, old_ref->usr_auth_key_length);
|
|
- SNMP_FREE(old_ref->usr_auth_key);
|
|
- }
|
|
- if (old_ref->usr_priv_key_length && old_ref->usr_priv_key) {
|
|
- SNMP_ZERO(old_ref->usr_priv_key, old_ref->usr_priv_key_length);
|
|
- SNMP_FREE(old_ref->usr_priv_key);
|
|
- }
|
|
+ if (--ref->refcnt > 0)
|
|
+ return;
|
|
|
|
- SNMP_ZERO(old_ref, sizeof(*old_ref));
|
|
- SNMP_FREE(old_ref);
|
|
+ SNMP_FREE(ref->usr_name);
|
|
+ SNMP_FREE(ref->usr_engine_id);
|
|
+ SNMP_FREE(ref->usr_auth_protocol);
|
|
+ SNMP_FREE(ref->usr_priv_protocol);
|
|
|
|
+ if (ref->usr_auth_key_length && ref->usr_auth_key) {
|
|
+ SNMP_ZERO(ref->usr_auth_key, ref->usr_auth_key_length);
|
|
+ SNMP_FREE(ref->usr_auth_key);
|
|
+ }
|
|
+ if (ref->usr_priv_key_length && ref->usr_priv_key) {
|
|
+ SNMP_ZERO(ref->usr_priv_key, ref->usr_priv_key_length);
|
|
+ SNMP_FREE(ref->usr_priv_key);
|
|
}
|
|
|
|
+ SNMP_FREE(ref);
|
|
} /* end usm_free_usmStateReference() */
|
|
|
|
struct usmUser *
|
|
@@ -3316,6 +3337,7 @@ init_usm(void)
|
|
def->encode_reverse = usm_secmod_rgenerate_out_msg;
|
|
def->encode_forward = usm_secmod_generate_out_msg;
|
|
def->decode = usm_secmod_process_in_msg;
|
|
+ def->pdu_clone = usm_clone;
|
|
def->pdu_free_state_ref = usm_free_usmStateReference;
|
|
def->session_setup = usm_session_init;
|
|
def->handle_report = usm_handle_report;
|