From 08fd4f5c67ecbaa25aa4597f75bc1a7d1afb164b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C5=A0afr=C3=A1nek?= <jsafrane@fedoraproject.org>
Date: Tue, 5 Jan 2010 13:49:14 +0000
Subject: [PATCH] fix invalid access to memory in tcpListenerTable Resolves:
 #551030

---
 net-snmp-5.5-tcp-pid.patch | 60 ++++++++++++++++++++++++++++++++++++++
 net-snmp.spec              |  7 ++++-
 2 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 net-snmp-5.5-tcp-pid.patch

diff --git a/net-snmp-5.5-tcp-pid.patch b/net-snmp-5.5-tcp-pid.patch
new file mode 100644
index 0000000..3d67652
--- /dev/null
+++ b/net-snmp-5.5-tcp-pid.patch
@@ -0,0 +1,60 @@
+551030 -  Memory corruption in TCP-MIB::tcpListenerProcess
+
+Source: upstream, SVN rev. 17861
+
+    CHANGES: snmpd: Fixed invalid access to memory in TCP-MIB
+
+diff --git a/agent/mibgroup/tcp-mib/tcpConnectionTable/tcpConnectionTable.c b/agent/mibgroup/tcp-mib/tcpConnectionTable/tcpConnectionTable.c
+index 7259bf8..e274d19 100644
+--- a/agent/mibgroup/tcp-mib/tcpConnectionTable/tcpConnectionTable.c
++++ b/agent/mibgroup/tcp-mib/tcpConnectionTable/tcpConnectionTable.c
+@@ -155,6 +155,8 @@ tcpConnectionTable_rowreq_ctx_cleanup(tcpConnectionTable_rowreq_ctx *
+     /*
+      * TODO:211:o: |-> Perform extra tcpConnectionTable rowreq cleanup.
+      */
++    netsnmp_access_tcpconn_entry_free(rowreq_ctx->data);
++    rowreq_ctx->data = NULL;
+ }                               /* tcpConnectionTable_rowreq_ctx_cleanup */
+ 
+ /**
+diff --git a/agent/mibgroup/tcp-mib/tcpConnectionTable/tcpConnectionTable_data_access.c b/agent/mibgroup/tcp-mib/tcpConnectionTable/tcpConnectionTable_data_access.c
+index 807dd9d..fec6bef 100644
+--- a/agent/mibgroup/tcp-mib/tcpConnectionTable/tcpConnectionTable_data_access.c
++++ b/agent/mibgroup/tcp-mib/tcpConnectionTable/tcpConnectionTable_data_access.c
+@@ -256,7 +256,8 @@ tcpConnectionTable_container_load(netsnmp_container *container)
+      * free the container. we've either claimed each entry, or released it,
+      * so the dal function doesn't need to clear the container.
+      */
+-    netsnmp_access_tcpconn_container_free(raw_data, 0);
++    netsnmp_access_tcpconn_container_free(raw_data,
++                                          NETSNMP_ACCESS_TCPCONN_FREE_DONT_CLEAR);
+ 
+     DEBUGMSGT(("verbose:tcpConnectionTable:tcpConnectionTable_cache_load",
+                "%d records\n", (int)CONTAINER_SIZE(container)));
+diff --git a/agent/mibgroup/tcp-mib/tcpListenerTable/tcpListenerTable.c b/agent/mibgroup/tcp-mib/tcpListenerTable/tcpListenerTable.c
+index f3009dd..ebd672b 100644
+--- a/agent/mibgroup/tcp-mib/tcpListenerTable/tcpListenerTable.c
++++ b/agent/mibgroup/tcp-mib/tcpListenerTable/tcpListenerTable.c
+@@ -154,6 +154,8 @@ tcpListenerTable_rowreq_ctx_cleanup(tcpListenerTable_rowreq_ctx *
+     /*
+      * TODO:211:o: |-> Perform extra tcpListenerTable rowreq cleanup.
+      */
++    netsnmp_access_tcpconn_entry_free(rowreq_ctx->data);
++    rowreq_ctx->data = NULL;
+ }                               /* tcpListenerTable_rowreq_ctx_cleanup */
+ 
+ /**
+diff --git a/agent/mibgroup/tcp-mib/tcpListenerTable/tcpListenerTable_data_access.c b/agent/mibgroup/tcp-mib/tcpListenerTable/tcpListenerTable_data_access.c
+index 09ba655..b25d5db 100644
+--- a/agent/mibgroup/tcp-mib/tcpListenerTable/tcpListenerTable_data_access.c
++++ b/agent/mibgroup/tcp-mib/tcpListenerTable/tcpListenerTable_data_access.c
+@@ -254,7 +254,8 @@ tcpListenerTable_container_load(netsnmp_container *container)
+      * free the container. we've either claimed each entry, or released it,
+      * so the dal function doesn't need to clear the container.
+      */
+-    netsnmp_access_tcpconn_container_free(raw_data, 0);
++    netsnmp_access_tcpconn_container_free(raw_data,
++                                          NETSNMP_ACCESS_TCPCONN_FREE_DONT_CLEAR);
+ 
+     DEBUGMSGT(("verbose:tcpListenerTable:tcpListenerTable_cache_load",
+                "%d records\n", (int)CONTAINER_SIZE(container)));
diff --git a/net-snmp.spec b/net-snmp.spec
index 6abb61c..e18483e 100644
--- a/net-snmp.spec
+++ b/net-snmp.spec
@@ -11,7 +11,7 @@
 Summary: A collection of SNMP protocol tools and libraries
 Name: net-snmp
 Version: 5.5
-Release: 7%{?dist}
+Release: 8%{?dist}
 Epoch: 1
 
 License: BSD and MIT
@@ -32,6 +32,7 @@ Patch3: net-snmp-5.5-multilib.patch
 Patch4: net-snmp-5.5-sensors3.patch
 Patch5: net-snmp-5.5-udptable-index.patch
 Patch6: net-snmp-5.5-missing-bcast.patch
+Patch7: net-snmp-5.5-tcp-pid.patch
 
 Requires(post): chkconfig
 Requires(preun): chkconfig
@@ -163,6 +164,7 @@ Net-SNMP toolkit library.
 %patch4 -p1 -b .sensors
 %patch5 -p1 -b .udptable-index
 %patch6 -p1 -b .missing-bcast
+%patch7 -p1 -b .tcp-pid
 
 %build
 MIBS="host agentx smux \
@@ -404,6 +406,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %{_datadir}/snmp/mibs/*
 
 %changelog
+* Tue Jan  5 2010 Jan Safranek <jsafrane@redhat.com> - 1:5.5-8
+- fix invalid access to memory in tcpListenerTable (#551030)
+
 * Mon Dec 21 2009 Jan Safranek <jsafrane@redhat.com> - 1:5.5-7
 - fix crash with interfaces without broadcast addresses (like OpenVPN's tun0)
   (#544849)