From 172d7325f8cfb66619fa40a3e3dce9810d2ab1b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20=C5=98=C3=ADdk=C3=BD?= Date: Tue, 7 Jul 2020 13:14:38 +0200 Subject: [PATCH] Bugfixes and enhancements related to RHEL --- net-snmp-5.8-aes-config.patch | 100 +++++++++++++ net-snmp-5.8-dskTable-dynamic.patch | 181 +++++++++++++++++++++++ net-snmp-5.8-duplicate-ipAddress.patch | 11 ++ net-snmp-5.8-expand-SNMPCONFPATH.patch | 12 ++ net-snmp-5.8-ipAddress-faster-load.patch | 82 ++++++++++ net-snmp-5.8-man-page.patch | 36 +++++ net-snmp-5.8-memory-reporting.patch | 35 +++++ net-snmp-5.8-proxy-getnext.patch | 12 ++ net-snmp-5.8-rpm-memory-leak.patch | 26 ++++ net-snmp-5.8-sec-memory-leak.patch | 84 +++++++++++ net-snmp.spec | 37 ++++- snmpd.service | 2 +- snmptrapd.service | 2 +- 13 files changed, 616 insertions(+), 4 deletions(-) create mode 100644 net-snmp-5.8-aes-config.patch create mode 100644 net-snmp-5.8-dskTable-dynamic.patch create mode 100644 net-snmp-5.8-duplicate-ipAddress.patch create mode 100644 net-snmp-5.8-expand-SNMPCONFPATH.patch create mode 100644 net-snmp-5.8-ipAddress-faster-load.patch create mode 100644 net-snmp-5.8-man-page.patch create mode 100644 net-snmp-5.8-memory-reporting.patch create mode 100644 net-snmp-5.8-proxy-getnext.patch create mode 100644 net-snmp-5.8-rpm-memory-leak.patch create mode 100644 net-snmp-5.8-sec-memory-leak.patch diff --git a/net-snmp-5.8-aes-config.patch b/net-snmp-5.8-aes-config.patch new file mode 100644 index 0000000..a1ce69c --- /dev/null +++ b/net-snmp-5.8-aes-config.patch @@ -0,0 +1,100 @@ +From 0be093688013b90896f2db3204bb20e790d70149 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Mon, 27 Apr 2020 08:23:16 -0700 +Subject: [PATCH] configure: Report supported authentication and encryption + modes correctly + +Commit 9e49de2e03b1 ("NEWS: snmplib: AES-192/AES-256 compatibility with SNMP +Research / CISCO") removed SHA-128 and SHA-192 support and added support for +SHA-224, SHA-256, SHA-384 and SHA-512. Commit 329a9d3c9d63 ("revamp auth/priv +protocol constants handling") added support for several AES encryption modes. +Make the configure script report which modes are supported. +--- + configure | 15 ++++++++++++++- + configure.d/config_os_misc2 | 15 ++++++++++++++- + 2 files changed, 28 insertions(+), 2 deletions(-) + +diff --git a/configure b/configure +index 46402589f..7481ebd07 100755 +--- a/configure ++++ b/configure +@@ -26453,7 +26453,13 @@ $as_echo "#define NETSNMP_USE_INTERNAL_CRYPTO 1" >>confdefs.h + { $as_echo "$as_me:${as_lineno-$LINENO}: result: Internal Crypto Support" >&5 + $as_echo "Internal Crypto Support" >&6; } + elif test "x$useopenssl" != "xno" ; then +- authmodes="MD5 SHA1 SHA512 SHA384 SHA256 SHA192" ++ authmodes="MD5 SHA1" ++ if test "x$ac_cv_func_EVP_sha224" = xyes; then ++ authmodes="$authmodes SHA224 SHA256" ++ fi ++ if test "x$ac_cv_func_EVP_sha384" = xyes; then ++ authmodes="$authmodes SHA384 SHA512" ++ fi + if test "x$enable_privacy" != "xno" ; then + if test "x$ac_cv_header_openssl_aes_h" = "xyes" ; then + encrmodes="DES AES" +@@ -26492,6 +26498,13 @@ fi + if test "x$enable_md5" = "xno"; then + authmodes=`echo $authmodes | $SED 's/MD5 *//;'` + fi ++if test "x$ac_cv_func_AES_cfb128_encrypt" = xyes || ++ test "x$CRYPTO" = xinternal; then ++ encrmodes="$encrmodes AES128" ++ if test "x$aes_capable" = "xyes"; then ++ encrmodes="$encrmodes AES192 AES192C AES256 AES256C" ++ fi ++fi + + + +diff --git a/configure.d/config_os_misc2 b/configure.d/config_os_misc2 +index 1df9bf0a2..be0bccec0 100644 +--- a/configure.d/config_os_misc2 ++++ b/configure.d/config_os_misc2 +@@ -53,7 +53,13 @@ if test "x$CRYPTO" = "xinternal" ; then + AC_DEFINE(NETSNMP_USE_INTERNAL_CRYPTO, 1, "Define if internal cryptography code should be used") + AC_MSG_RESULT(Internal Crypto Support) + elif test "x$useopenssl" != "xno" ; then +- authmodes="MD5 SHA1 SHA512 SHA384 SHA256 SHA192" ++ authmodes="MD5 SHA1" ++ if test "x$ac_cv_func_EVP_sha224" = xyes; then ++ authmodes="$authmodes SHA224 SHA256" ++ fi ++ if test "x$ac_cv_func_EVP_sha384" = xyes; then ++ authmodes="$authmodes SHA384 SHA512" ++ fi + if test "x$enable_privacy" != "xno" ; then + if test "x$ac_cv_header_openssl_aes_h" = "xyes" ; then + encrmodes="DES AES" +@@ -86,6 +92,13 @@ fi + if test "x$enable_md5" = "xno"; then + authmodes=`echo $authmodes | $SED 's/MD5 *//;'` + fi ++if test "x$ac_cv_func_AES_cfb128_encrypt" = xyes || ++ test "x$CRYPTO" = xinternal; then ++ encrmodes="$encrmodes AES128" ++ if test "x$aes_capable" = "xyes"; then ++ encrmodes="$encrmodes AES192 AES192C AES256 AES256C" ++ fi ++fi + AC_SUBST(LNETSNMPLIBS) + AC_SUBST(LAGENTLIBS) + + +diff -urNp a/net-snmp-create-v3-user.in b/net-snmp-create-v3-user.in +--- a/net-snmp-create-v3-user.in 2020-06-15 12:59:05.117432700 +0200 ++++ b/net-snmp-create-v3-user.in 2020-06-15 13:01:36.151905241 +0200 +@@ -58,11 +58,11 @@ case $1 in + exit 1 + fi + case $1 in +- DES|AES|AES128) ++ DES|AES|AES128|AES192|AES256) + Xalgorithm=$1 + shift + ;; +- des|aes|aes128) ++ des|aes|aes128|aes192|aes256) + Xalgorithm=`echo $1 | tr a-z A-Z` + shift + ;; diff --git a/net-snmp-5.8-dskTable-dynamic.patch b/net-snmp-5.8-dskTable-dynamic.patch new file mode 100644 index 0000000..3ecbe64 --- /dev/null +++ b/net-snmp-5.8-dskTable-dynamic.patch @@ -0,0 +1,181 @@ +diff -ruNp a/agent/mibgroup/ucd-snmp/disk.c b/agent/mibgroup/ucd-snmp/disk.c +--- a/agent/mibgroup/ucd-snmp/disk.c 2020-06-10 09:29:35.867328760 +0200 ++++ b/agent/mibgroup/ucd-snmp/disk.c 2020-06-10 09:44:13.053535421 +0200 +@@ -153,9 +153,10 @@ static void disk_free_config(void) + static void disk_parse_config(const char *, char *); + static void disk_parse_config_all(const char *, char *); + #if HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS +-static void find_and_add_allDisks(int minpercent); ++static void refresh_disk_table(int addNewDisks, int minpercent); + static void add_device(char *path, char *device, +- int minspace, int minpercent, int override); ++ int minspace, int minpercent, int addNewDisks, ++ int override); + static void modify_disk_parameters(int index, int minspace, + int minpercent); + static int disk_exists(char *path); +@@ -167,6 +168,7 @@ struct diskpart { + char path[STRMAX]; + int minimumspace; + int minpercent; ++ int alive; + }; + + #define MAX_INT_32 0x7fffffff +@@ -174,6 +176,7 @@ struct diskpart { + + unsigned int numdisks; + int allDisksIncluded = 0; ++int allDisksMinPercent = 0; + unsigned int maxdisks = 0; + struct diskpart *disks; + +@@ -238,6 +241,7 @@ init_disk(void) + disk_free_config, + "minpercent%"); + allDisksIncluded = 0; ++ allDisksMinPercent = 0; + } + + static void +@@ -253,6 +257,7 @@ disk_free_config(void) + disks[i].minpercent = -1; + } + allDisksIncluded = 0; ++ allDisksMinPercent = 0; + } + + static void +@@ -313,7 +318,7 @@ disk_parse_config(const char *token, cha + * check if the disk already exists, if so then modify its + * parameters. if it does not exist then add it + */ +- add_device(path, find_device(path), minspace, minpercent, 1); ++ add_device(path, find_device(path), minspace, minpercent, 1, 1); + #endif /* HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS */ + } + +@@ -372,7 +377,7 @@ disk_parse_config_all(const char *token, + + #if HAVE_FSTAB_H || HAVE_GETMNTENT || HAVE_STATFS + static void +-add_device(char *path, char *device, int minspace, int minpercent, int override) ++add_device(char *path, char *device, int minspace, int minpercent, int addNewDisks, int override) + { + int index; + +@@ -402,10 +407,16 @@ add_device(char *path, char *device, int + } + + index = disk_exists(path); +- if((index != -1) && (index < maxdisks) && (override==1)) { +- modify_disk_parameters(index, minspace, minpercent); ++ if((index != -1) && (index < maxdisks)) { ++ /* the path is already in the table */ ++ disks[index].alive = 1; ++ /* -> update its device */ ++ strlcpy(disks[index].device, device, sizeof(disks[index].device)); ++ if (override == 1) { ++ modify_disk_parameters(index, minspace, minpercent); ++ } + } +- else if(index == -1){ ++ else if(index == -1 && addNewDisks){ + /* add if and only if the device was found */ + if(device[0] != 0) { + /* The following buffers are cleared above, no need to add '\0' */ +@@ -413,6 +424,7 @@ add_device(char *path, char *device, int + strlcpy(disks[numdisks].device, device, sizeof(disks[numdisks].device)); + disks[numdisks].minimumspace = minspace; + disks[numdisks].minpercent = minpercent; ++ disks[numdisks].alive = 1; + numdisks++; + } + else { +@@ -420,6 +432,7 @@ add_device(char *path, char *device, int + disks[numdisks].minpercent = -1; + disks[numdisks].path[0] = 0; + disks[numdisks].device[0] = 0; ++ disks[numdisks].alive = 0; + } + } + } +@@ -444,7 +457,7 @@ int disk_exists(char *path) + } + + static void +-find_and_add_allDisks(int minpercent) ++refresh_disk_table(int addNewDisks, int minpercent) + { + #if HAVE_GETMNTENT + #if HAVE_SYS_MNTTAB_H +@@ -480,7 +493,7 @@ find_and_add_allDisks(int minpercent) + return; + } + while (mntfp && NULL != (mntent = getmntent(mntfp))) { +- add_device(mntent->mnt_dir, mntent->mnt_fsname, -1, minpercent, 0); ++ add_device(mntent->mnt_dir, mntent->mnt_fsname, -1, minpercent, addNewDisks, 0); + dummy = 1; + } + if (mntfp) +@@ -497,7 +510,7 @@ find_and_add_allDisks(int minpercent) + return; + } + while ((i = getmntent(mntfp, &mnttab)) == 0) { +- add_device(mnttab.mnt_mountp, mnttab.mnt_special, -1, minpercent, 0); ++ add_device(mnttab.mnt_mountp, mnttab.mnt_special, -1, minpercent, addNewDisks, 0); + dummy = 1; + } + fclose(mntfp); +@@ -510,7 +523,7 @@ find_and_add_allDisks(int minpercent) + #elif HAVE_FSTAB_H + setfsent(); /* open /etc/fstab */ + while((fstab1 = getfsent()) != NULL) { +- add_device(fstab1->fs_file, fstab1->fs_spec, -1, minpercent, 0); ++ add_device(fstab1->fs_file, fstab1->fs_spec, -1, minpercent, addNewDisks, 0); + dummy = 1; + } + endfsent(); /* close /etc/fstab */ +@@ -521,7 +534,7 @@ find_and_add_allDisks(int minpercent) + mntsize = getmntinfo(&mntbuf, MNT_NOWAIT); + for (i = 0; i < mntsize; i++) { + if (strncmp(mntbuf[i].f_fstypename, "zfs", 3) == 0) { +- add_device(mntbuf[i].f_mntonname, mntbuf[i].f_mntfromname, -1, minpercent, 0); ++ add_device(mntbuf[i].f_mntonname, mntbuf[i].f_mntfromname, -1, minpercent, addNewDisks, 0); + } + } + } +@@ -537,7 +550,7 @@ find_and_add_allDisks(int minpercent) + * statfs we default to the root partition "/" + */ + if (statfs("/", &statf) == 0) { +- add_device("/", statf.f_mntfromname, -1, minpercent, 0); ++ add_device("/", statf.f_mntfromname, -1, minpercent, addNewDisks, 0); + } + #endif + else { +@@ -696,6 +709,10 @@ fill_dsk_entry(int disknum, struct dsk_e + #endif + #endif + ++ if (disks[disknum].alive == 0){ ++ return -1; ++ } ++ + entry->dskPercentInode = -1; + + #if defined(HAVE_STATVFS) || defined(HAVE_STATFS) +@@ -826,6 +843,13 @@ var_extensible_disk(struct variable *vp, + static long long_ret; + static char *errmsg; + ++ int i; ++ for (i = 0; i < numdisks; i++){ ++ disks[i].alive = 0; ++ } ++ /* dynamically add new disks + update alive flag */ ++ refresh_disk_table(allDisksIncluded, allDisksMinPercent); ++ + tryAgain: + if (header_simple_table + (vp, name, length, exact, var_len, write_method, numdisks)) diff --git a/net-snmp-5.8-duplicate-ipAddress.patch b/net-snmp-5.8-duplicate-ipAddress.patch new file mode 100644 index 0000000..075976a --- /dev/null +++ b/net-snmp-5.8-duplicate-ipAddress.patch @@ -0,0 +1,11 @@ +diff -urNp a/agent/mibgroup/ip-mib/data_access/ipaddress_common.c b/agent/mibgroup/ip-mib/data_access/ipaddress_common.c +--- a/agent/mibgroup/ip-mib/data_access/ipaddress_common.c 2020-06-10 13:27:03.213904398 +0200 ++++ b/agent/mibgroup/ip-mib/data_access/ipaddress_common.c 2020-06-10 13:28:41.025863050 +0200 +@@ -121,6 +121,7 @@ _remove_duplicates(netsnmp_container *co + for (entry = ITERATOR_FIRST(it); entry; entry = ITERATOR_NEXT(it)) { + if (prev_entry && _access_ipaddress_entry_compare_addr(prev_entry, entry) == 0) { + /* 'entry' is duplicate of the previous one -> delete it */ ++ NETSNMP_LOGONCE((LOG_ERR, "Duplicate IPv4 address detected, some interfaces may not be visible in IP-MIB\n")); + netsnmp_access_ipaddress_entry_free(entry); + } else { + CONTAINER_INSERT(ret, entry); diff --git a/net-snmp-5.8-expand-SNMPCONFPATH.patch b/net-snmp-5.8-expand-SNMPCONFPATH.patch new file mode 100644 index 0000000..a812cf4 --- /dev/null +++ b/net-snmp-5.8-expand-SNMPCONFPATH.patch @@ -0,0 +1,12 @@ +diff -ruNp a/snmplib/read_config.c b/snmplib/read_config.c +--- a/snmplib/read_config.c 2020-06-10 09:51:57.184786510 +0200 ++++ b/snmplib/read_config.c 2020-06-10 09:53:13.257507112 +0200 +@@ -1642,7 +1642,7 @@ snmp_save_persistent(const char *type) + * save a warning header to the top of the new file + */ + snprintf(fileold, sizeof(fileold), +- "%s%s# Please save normal configuration tokens for %s in SNMPCONFPATH/%s.conf.\n# Only \"createUser\" tokens should be placed here by %s administrators.\n%s", ++ "%s%s# Please save normal configuration tokens for %s in /etc/snmp/%s.conf.\n# Only \"createUser\" tokens should be placed here by %s administrators.\n%s", + "#\n# net-snmp (or ucd-snmp) persistent data file.\n#\n############################################################################\n# STOP STOP STOP STOP STOP STOP STOP STOP STOP \n", + "#\n# **** DO NOT EDIT THIS FILE ****\n#\n# STOP STOP STOP STOP STOP STOP STOP STOP STOP \n############################################################################\n#\n# DO NOT STORE CONFIGURATION ENTRIES HERE.\n", + type, type, type, diff --git a/net-snmp-5.8-ipAddress-faster-load.patch b/net-snmp-5.8-ipAddress-faster-load.patch new file mode 100644 index 0000000..db95998 --- /dev/null +++ b/net-snmp-5.8-ipAddress-faster-load.patch @@ -0,0 +1,82 @@ +diff -urNp a/agent/mibgroup/mibII/ipAddr.c b/agent/mibgroup/mibII/ipAddr.c +--- a/agent/mibgroup/mibII/ipAddr.c 2020-06-10 14:14:30.113696471 +0200 ++++ b/agent/mibgroup/mibII/ipAddr.c 2020-06-10 14:27:15.345354018 +0200 +@@ -495,14 +495,16 @@ Address_Scan_Next(Index, Retin_ifaddr) + } + + #elif defined(linux) ++#include + static struct ifreq *ifr; + static int ifr_counter; + + static void + Address_Scan_Init(void) + { +- int num_interfaces = 0; ++ int i; + int fd; ++ int lastlen = 0; + + /* get info about all interfaces */ + +@@ -510,28 +512,45 @@ Address_Scan_Init(void) + SNMP_FREE(ifc.ifc_buf); + ifr_counter = 0; + +- do +- { + if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) + { + DEBUGMSGTL(("snmpd", "socket open failure in Address_Scan_Init\n")); + return; + } +- num_interfaces += 16; + +- ifc.ifc_len = sizeof(struct ifreq) * num_interfaces; +- ifc.ifc_buf = (char*) realloc(ifc.ifc_buf, ifc.ifc_len); +- +- if (ioctl(fd, SIOCGIFCONF, &ifc) < 0) +- { +- ifr=NULL; +- close(fd); +- return; +- } +- close(fd); ++ /* ++ * Cope with lots of interfaces and brokenness of ioctl SIOCGIFCONF ++ * on some platforms; see W. R. Stevens, ``Unix Network Programming ++ * Volume I'', p.435... ++ */ ++ ++ for (i = 8;; i *= 2) { ++ ifc.ifc_len = sizeof(struct ifreq) * i; ++ ifc.ifc_req = calloc(i, sizeof(struct ifreq)); ++ ++ if (ioctl(fd, SIOCGIFCONF, &ifc) < 0) { ++ if (errno != EINVAL || lastlen != 0) { ++ /* ++ * Something has gone genuinely wrong... ++ */ ++ snmp_log(LOG_ERR, "bad rc from ioctl, errno %d", errno); ++ SNMP_FREE(ifc.ifc_buf); ++ close(fd); ++ return; ++ } ++ } else { ++ if (ifc.ifc_len == lastlen) { ++ /* ++ * The length is the same as the last time; we're done... ++ */ ++ break; ++ } ++ lastlen = ifc.ifc_len; ++ } ++ free(ifc.ifc_buf); /* no SNMP_FREE, getting ready to reassign */ + } +- while (ifc.ifc_len >= (sizeof(struct ifreq) * num_interfaces)); +- ++ ++ close(fd); + ifr = ifc.ifc_req; + } + diff --git a/net-snmp-5.8-man-page.patch b/net-snmp-5.8-man-page.patch new file mode 100644 index 0000000..dc78e14 --- /dev/null +++ b/net-snmp-5.8-man-page.patch @@ -0,0 +1,36 @@ +diff -urNp a/man/net-snmp-create-v3-user.1.def b/man/net-snmp-create-v3-user.1.def +--- a/man/net-snmp-create-v3-user.1.def 2020-06-10 13:43:18.443070961 +0200 ++++ b/man/net-snmp-create-v3-user.1.def 2020-06-10 13:49:25.975363441 +0200 +@@ -3,7 +3,7 @@ + net-snmp-create-v3-user \- create a SNMPv3 user in net-snmp configuration file + .SH SYNOPSIS + .PP +-.B net-snmp-create-v3-user [-ro] [-a authpass] [-x privpass] [-X DES|AES] ++.B net-snmp-create-v3-user [-ro] [-A authpass] [-a MD5|SHA] [-X privpass] [-x DES|AES] + .B [username] + .SH DESCRIPTION + .PP +@@ -16,13 +16,16 @@ new user in net-snmp configuration file + displays the net-snmp version number + .TP + \fB\-ro\fR +-create an user with read-only permissions ++creates a user with read-only permissions + .TP +-\fB\-a authpass\fR +-specify authentication password ++\fB\-A authpass\fR ++specifies the authentication password + .TP +-\fB\-x privpass\fR +-specify encryption password ++\fB\-a MD5|SHA\fR ++specifies the authentication password hashing algorithm + .TP +-\fB\-X DES|AES\fR +-specify encryption algorithm ++\fB\-X privpass\fR ++specifies the encryption password ++.TP ++\fB\-x DES|AES\fR ++specifies the encryption algorithm diff --git a/net-snmp-5.8-memory-reporting.patch b/net-snmp-5.8-memory-reporting.patch new file mode 100644 index 0000000..da03a37 --- /dev/null +++ b/net-snmp-5.8-memory-reporting.patch @@ -0,0 +1,35 @@ +diff -urNp a/agent/mibgroup/hardware/memory/memory_linux.c b/agent/mibgroup/hardware/memory/memory_linux.c +--- a/agent/mibgroup/hardware/memory/memory_linux.c 2020-06-10 13:36:40.164588176 +0200 ++++ b/agent/mibgroup/hardware/memory/memory_linux.c 2020-06-10 13:38:59.398944829 +0200 +@@ -29,7 +29,7 @@ int netsnmp_mem_arch_load( netsnmp_cache + ssize_t bytes_read; + char *b; + unsigned long memtotal = 0, memfree = 0, memshared = 0, +- buffers = 0, cached = 0, ++ buffers = 0, cached = 0, sreclaimable = 0, + swaptotal = 0, swapfree = 0; + + netsnmp_memory_info *mem; +@@ -127,6 +127,13 @@ int netsnmp_mem_arch_load( netsnmp_cache + if (first) + snmp_log(LOG_ERR, "No SwapTotal line in /proc/meminfo\n"); + } ++ b = strstr(buff, "SReclaimable: "); ++ if (b) ++ sscanf(b, "SReclaimable: %lu", &sreclaimable); ++ else { ++ if (first) ++ snmp_log(LOG_ERR, "No SReclaimable line in /proc/meminfo\n"); ++ } + b = strstr(buff, "SwapFree: "); + if (b) + sscanf(b, "SwapFree: %lu", &swapfree); +@@ -183,7 +190,7 @@ int netsnmp_mem_arch_load( netsnmp_cache + if (!mem->descr) + mem->descr = strdup("Cached memory"); + mem->units = 1024; +- mem->size = cached; ++ mem->size = cached+sreclaimable; + mem->free = 0; /* Report cached size/used as equal */ + mem->other = -1; + } diff --git a/net-snmp-5.8-proxy-getnext.patch b/net-snmp-5.8-proxy-getnext.patch new file mode 100644 index 0000000..ff2294f --- /dev/null +++ b/net-snmp-5.8-proxy-getnext.patch @@ -0,0 +1,12 @@ +diff -ruNp a/agent/mibgroup/ucd-snmp/proxy.c b/agent/mibgroup/ucd-snmp/proxy.c +--- a/agent/mibgroup/ucd-snmp/proxy.c 2020-06-10 09:24:24.933347483 +0200 ++++ b/agent/mibgroup/ucd-snmp/proxy.c 2020-06-10 09:25:49.007148474 +0200 +@@ -460,7 +460,7 @@ proxy_handler(netsnmp_mib_handler *handl + if (sp->base_len && + reqinfo->mode == MODE_GETNEXT && + (snmp_oid_compare(ourname, ourlength, +- sp->base, sp->base_len) < 0)) { ++ sp->name, sp->name_len) < 0)) { + DEBUGMSGTL(( "proxy", "request is out of registered range\n")); + /* + * Create GETNEXT request with an OID so the diff --git a/net-snmp-5.8-rpm-memory-leak.patch b/net-snmp-5.8-rpm-memory-leak.patch new file mode 100644 index 0000000..33b8d29 --- /dev/null +++ b/net-snmp-5.8-rpm-memory-leak.patch @@ -0,0 +1,26 @@ +diff -urNp a/agent/mibgroup/host/data_access/swinst_rpm.c b/agent/mibgroup/host/data_access/swinst_rpm.c +--- a/agent/mibgroup/host/data_access/swinst_rpm.c 2020-06-10 14:32:43.330486233 +0200 ++++ b/agent/mibgroup/host/data_access/swinst_rpm.c 2020-06-10 14:35:46.672298741 +0200 +@@ -75,6 +75,9 @@ netsnmp_swinst_arch_init(void) + snprintf( pkg_directory, SNMP_MAXPATH, "%s/Packages", dbpath ); + SNMP_FREE(rpmdbpath); + dbpath = NULL; ++#ifdef HAVE_RPMGETPATH ++ rpmFreeRpmrc(); ++#endif + if (-1 == stat( pkg_directory, &stat_buf )) { + snmp_log(LOG_ERR, "Can't find directory of RPM packages"); + pkg_directory[0] = '\0'; +diff -urNp a/agent/mibgroup/host/hr_swinst.c b/agent/mibgroup/host/hr_swinst.c +--- a/agent/mibgroup/host/hr_swinst.c 2020-06-10 14:32:43.325486184 +0200 ++++ b/agent/mibgroup/host/hr_swinst.c 2020-06-10 14:36:44.423872418 +0200 +@@ -231,6 +231,9 @@ init_hr_swinst(void) + snprintf(path, sizeof(path), "%s/packages.rpm", swi->swi_dbpath); + path[ sizeof(path)-1 ] = 0; + swi->swi_directory = strdup(path); ++#ifdef HAVE_RPMGETPATH ++ rpmFreeRpmrc(); ++#endif + } + #else + # ifdef _PATH_HRSW_directory diff --git a/net-snmp-5.8-sec-memory-leak.patch b/net-snmp-5.8-sec-memory-leak.patch new file mode 100644 index 0000000..2d5a986 --- /dev/null +++ b/net-snmp-5.8-sec-memory-leak.patch @@ -0,0 +1,84 @@ +diff -urNp a/agent/snmp_agent.c b/agent/snmp_agent.c +--- a/agent/snmp_agent.c 2020-06-11 10:20:31.646339191 +0200 ++++ b/agent/snmp_agent.c 2020-06-11 10:23:41.178056889 +0200 +@@ -1605,12 +1605,6 @@ free_agent_snmp_session(netsnmp_agent_se + DEBUGMSGTL(("verbose:asp", "asp %p reqinfo %p freed\n", + asp, asp->reqinfo)); + +- /* Clean up securityStateRef here to prevent a double free */ +- if (asp->orig_pdu && asp->orig_pdu->securityStateRef) +- snmp_free_securityStateRef(asp->orig_pdu); +- if (asp->pdu && asp->pdu->securityStateRef) +- snmp_free_securityStateRef(asp->pdu); +- + if (asp->orig_pdu) + snmp_free_pdu(asp->orig_pdu); + if (asp->pdu) +diff -urNp a/include/net-snmp/pdu_api.h b/include/net-snmp/pdu_api.h +--- a/include/net-snmp/pdu_api.h 2020-06-11 10:20:31.631339058 +0200 ++++ b/include/net-snmp/pdu_api.h 2020-06-11 10:24:17.261390028 +0200 +@@ -19,8 +19,6 @@ NETSNMP_IMPORT + netsnmp_pdu *snmp_fix_pdu( netsnmp_pdu *pdu, int idx); + NETSNMP_IMPORT + void snmp_free_pdu( netsnmp_pdu *pdu); +-NETSNMP_IMPORT +-void snmp_free_securityStateRef( netsnmp_pdu *pdu); + + #ifdef __cplusplus + } +diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c +--- a/snmplib/snmp_api.c 2020-06-11 10:20:31.695339627 +0200 ++++ b/snmplib/snmp_api.c 2020-06-11 10:33:55.510891945 +0200 +@@ -4034,17 +4034,6 @@ free_securityStateRef(netsnmp_pdu* pdu) + pdu->securityStateRef = NULL; + } + +-/* +- * This function is here to provide a separate call to +- * free the securityStateRef memory. This is needed to prevent +- * a double free if this memory is freed in snmp_free_pdu. +- */ +-void +-snmp_free_securityStateRef(netsnmp_pdu* pdu) +-{ +- free_securityStateRef(pdu); +-} +- + #define ERROR_STAT_LENGTH 11 + + int +@@ -5473,6 +5462,8 @@ snmp_free_pdu(netsnmp_pdu *pdu) + if (!pdu) + return; + ++ free_securityStateRef(pdu); ++ + /* + * If the command field is empty, that probably indicates + * that this PDU structure has already been freed. +@@ -5647,12 +5638,6 @@ _sess_process_packet_parse_pdu(void *ses + } + + if (ret != SNMP_ERR_NOERROR) { +- /* +- * Call the security model to free any securityStateRef supplied w/ msg. +- */ +- if (pdu->securityStateRef != NULL) { +- free_securityStateRef(pdu); +- } + snmp_free_pdu(pdu); + return NULL; + } +@@ -5826,12 +5811,6 @@ _sess_process_packet_handle_pdu(void *se + } + } + +- /* +- * Call USM to free any securityStateRef supplied with the message. +- */ +- if (pdu->securityStateRef && pdu->command == SNMP_MSG_TRAP2) +- free_securityStateRef(pdu); +- + if (!handled) { + if (sp->flags & SNMP_FLAGS_SHARED_SOCKET) + return -2; diff --git a/net-snmp.spec b/net-snmp.spec index d37d7c4..6718620 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -10,7 +10,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.8 -Release: 21%{?dist} +Release: 22%{?dist} Epoch: 1 License: BSD @@ -50,6 +50,16 @@ Patch20: net-snmp-5.8-usage-exit.patch Patch21: net-snmp-5.8-coverity.patch Patch22: net-snmp-5.8-flood-messages.patch Patch23: net-snmp-5.8-sec-counter.patch +Patch24: net-snmp-5.8-proxy-getnext.patch +Patch25: net-snmp-5.8-dskTable-dynamic.patch +Patch26: net-snmp-5.8-expand-SNMPCONFPATH.patch +Patch27: net-snmp-5.8-duplicate-ipAddress.patch +Patch28: net-snmp-5.8-memory-reporting.patch +Patch29: net-snmp-5.8-man-page.patch +Patch30: net-snmp-5.8-ipAddress-faster-load.patch +Patch31: net-snmp-5.8-rpm-memory-leak.patch +Patch32: net-snmp-5.8-sec-memory-leak.patch +Patch33: net-snmp-5.8-aes-config.patch # Modern RPM API means at least EL6 Patch101: net-snmp-5.8-modern-rpm-api.patch @@ -238,7 +248,16 @@ cp %{SOURCE10} . %patch21 -p1 -b .coverity %patch22 -p1 -b .flood-messages %patch23 -p1 -b .sec-counter - +%patch24 -p1 -b .proxy-getnext +%patch25 -p1 -b .dskTable-dynamic +%patch26 -p1 -b .expand-SNMPCONFPATH +%patch27 -p1 -b .duplicate-ipAddress +%patch28 -p1 -b .memory-reporting +%patch29 -p1 -b .man-page +%patch30 -p1 -b .ipAddress-faster-load +%patch31 -p1 -b .rpm-memory-leak +%patch32 -p1 -b .sec-memory-leak +%patch33 -p1 -b .aes-config %patch101 -p1 -b .modern-rpm-api %patch102 -p1 @@ -267,6 +286,7 @@ MIBS="$MIBS ucd-snmp/lmsensorsMib" %configure \ --disable-static --enable-shared \ --enable-as-needed \ + --enable-blumenthal-aes \ --enable-embedded-perl \ --enable-ipv6 \ --enable-local-smux \ @@ -507,6 +527,19 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.%{soname}* %changelog +* Tue Jul 07 2020 Josef Ridky - 1:5.8-22 +- proxied OIDs unspecified in proxy statement in snmpd.conf +- UCD-SNMP-MIB::dskTable doesn't update dynamically +- expand SNMPCONFPATH variable +- log meningful message on duplicate IP address +- memory reporting adjustment +- fix typos in man page +- speedup ipAddressTable loading +- fix memory leak when shut down librpm +- services starts after network-online.target +- add missing part of memory leak patch +- add support for AES192 and AES256 + * Mon Jun 22 2020 Jitka Plesnikova - 1:5.8-21 - Perl 5.32 rebuild diff --git a/snmpd.service b/snmpd.service index adb394d..8f6cb2e 100644 --- a/snmpd.service +++ b/snmpd.service @@ -1,6 +1,6 @@ [Unit] Description=Simple Network Management Protocol (SNMP) Daemon. -After=syslog.target network.target +After=syslog.target network-online.target [Service] Type=notify diff --git a/snmptrapd.service b/snmptrapd.service index 9835a38..ec71e75 100644 --- a/snmptrapd.service +++ b/snmptrapd.service @@ -1,6 +1,6 @@ [Unit] Description=Simple Network Management Protocol (SNMP) Trap Daemon. -After=syslog.target network.target +After=syslog.target network-online.target [Service] Type=notify