Merge branch 'f27' into f26
This commit is contained in:
Josef Ridky
commit
520b02958c
|
|
@ -0,0 +1,200 @@
|
|||
diff -urNp old/snmplib/snmp_api.c new/snmplib/snmp_api.c
|
||||
--- old/snmplib/snmp_api.c 2018-03-08 09:08:50.675762351 +0100
|
||||
+++ new/snmplib/snmp_api.c 2018-03-08 09:27:13.289076553 +0100
|
||||
@@ -4350,12 +4350,10 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
|
||||
u_char type;
|
||||
u_char msg_type;
|
||||
u_char *var_val;
|
||||
- int badtype = 0;
|
||||
size_t len;
|
||||
size_t four;
|
||||
- netsnmp_variable_list *vp = NULL;
|
||||
+ netsnmp_variable_list *vp = NULL, *vplast = NULL;
|
||||
oid objid[MAX_OID_LEN];
|
||||
- u_char *p;
|
||||
|
||||
/*
|
||||
* Get the PDU type
|
||||
@@ -4493,38 +4491,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
|
||||
(ASN_SEQUENCE | ASN_CONSTRUCTOR),
|
||||
"varbinds");
|
||||
if (data == NULL)
|
||||
- return -1;
|
||||
+ goto fail;
|
||||
|
||||
/*
|
||||
* get each varBind sequence
|
||||
*/
|
||||
while ((int) *length > 0) {
|
||||
- netsnmp_variable_list *vptemp;
|
||||
- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
|
||||
- if (NULL == vptemp) {
|
||||
- return -1;
|
||||
- }
|
||||
- if (NULL == vp) {
|
||||
- pdu->variables = vptemp;
|
||||
- } else {
|
||||
- vp->next_variable = vptemp;
|
||||
- }
|
||||
- vp = vptemp;
|
||||
+ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
|
||||
+ if (NULL == vp)
|
||||
+ goto fail;
|
||||
|
||||
- vp->next_variable = NULL;
|
||||
- vp->val.string = NULL;
|
||||
vp->name_length = MAX_OID_LEN;
|
||||
- vp->name = NULL;
|
||||
- vp->index = 0;
|
||||
- vp->data = NULL;
|
||||
- vp->dataFreeHook = NULL;
|
||||
DEBUGDUMPSECTION("recv", "VarBind");
|
||||
data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
|
||||
&vp->val_len, &var_val, length);
|
||||
if (data == NULL)
|
||||
- return -1;
|
||||
+ goto fail;
|
||||
if (snmp_set_var_objid(vp, objid, vp->name_length))
|
||||
- return -1;
|
||||
+ goto fail;
|
||||
|
||||
len = MAX_PACKET_LENGTH;
|
||||
DEBUGDUMPHEADER("recv", "Value");
|
||||
@@ -4532,11 +4516,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
|
||||
case ASN_INTEGER:
|
||||
vp->val.integer = (long *) vp->buf;
|
||||
vp->val_len = sizeof(long);
|
||||
- p = asn_parse_int(var_val, &len, &vp->type,
|
||||
+ asn_parse_int(var_val, &len, &vp->type,
|
||||
(long *) vp->val.integer,
|
||||
sizeof(*vp->val.integer));
|
||||
- if (!p)
|
||||
- return -1;
|
||||
break;
|
||||
case ASN_COUNTER:
|
||||
case ASN_GAUGE:
|
||||
@@ -4544,11 +4526,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
|
||||
case ASN_UINTEGER:
|
||||
vp->val.integer = (long *) vp->buf;
|
||||
vp->val_len = sizeof(u_long);
|
||||
- p = asn_parse_unsigned_int(var_val, &len, &vp->type,
|
||||
+ asn_parse_unsigned_int(var_val, &len, &vp->type,
|
||||
(u_long *) vp->val.integer,
|
||||
vp->val_len);
|
||||
- if (!p)
|
||||
- return -1;
|
||||
break;
|
||||
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
|
||||
case ASN_OPAQUE_COUNTER64:
|
||||
@@ -4557,38 +4537,30 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
|
||||
case ASN_COUNTER64:
|
||||
vp->val.counter64 = (struct counter64 *) vp->buf;
|
||||
vp->val_len = sizeof(struct counter64);
|
||||
- p = asn_parse_unsigned_int64(var_val, &len, &vp->type,
|
||||
+ asn_parse_unsigned_int64(var_val, &len, &vp->type,
|
||||
(struct counter64 *) vp->val.
|
||||
counter64, vp->val_len);
|
||||
- if (!p)
|
||||
- return -1;
|
||||
break;
|
||||
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
|
||||
case ASN_OPAQUE_FLOAT:
|
||||
vp->val.floatVal = (float *) vp->buf;
|
||||
vp->val_len = sizeof(float);
|
||||
- p = asn_parse_float(var_val, &len, &vp->type,
|
||||
+ asn_parse_float(var_val, &len, &vp->type,
|
||||
vp->val.floatVal, vp->val_len);
|
||||
- if (!p)
|
||||
- return -1;
|
||||
break;
|
||||
case ASN_OPAQUE_DOUBLE:
|
||||
vp->val.doubleVal = (double *) vp->buf;
|
||||
vp->val_len = sizeof(double);
|
||||
- p = asn_parse_double(var_val, &len, &vp->type,
|
||||
+ asn_parse_double(var_val, &len, &vp->type,
|
||||
vp->val.doubleVal, vp->val_len);
|
||||
- if (!p)
|
||||
- return -1;
|
||||
break;
|
||||
case ASN_OPAQUE_I64:
|
||||
vp->val.counter64 = (struct counter64 *) vp->buf;
|
||||
vp->val_len = sizeof(struct counter64);
|
||||
- p = asn_parse_signed_int64(var_val, &len, &vp->type,
|
||||
+ asn_parse_signed_int64(var_val, &len, &vp->type,
|
||||
(struct counter64 *) vp->val.counter64,
|
||||
sizeof(*vp->val.counter64));
|
||||
|
||||
- if (!p)
|
||||
- return -1;
|
||||
break;
|
||||
#endif /* NETSNMP_WITH_OPAQUE_SPECIAL_TYPES */
|
||||
case ASN_IPADDRESS:
|
||||
@@ -4604,22 +4576,18 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
|
||||
vp->val.string = (u_char *) malloc(vp->val_len);
|
||||
}
|
||||
if (vp->val.string == NULL) {
|
||||
- return -1;
|
||||
+ goto fail;
|
||||
}
|
||||
- p = asn_parse_string(var_val, &len, &vp->type, vp->val.string,
|
||||
+ asn_parse_string(var_val, &len, &vp->type, vp->val.string,
|
||||
&vp->val_len);
|
||||
- if (!p)
|
||||
- return -1;
|
||||
break;
|
||||
case ASN_OBJECT_ID:
|
||||
vp->val_len = MAX_OID_LEN;
|
||||
- p = asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len);
|
||||
- if (!p)
|
||||
- return -1;
|
||||
+ asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len);
|
||||
vp->val_len *= sizeof(oid);
|
||||
vp->val.objid = (oid *) malloc(vp->val_len);
|
||||
if (vp->val.objid == NULL) {
|
||||
- return -1;
|
||||
+ goto fail;
|
||||
}
|
||||
memmove(vp->val.objid, objid, vp->val_len);
|
||||
break;
|
||||
@@ -4631,21 +4599,34 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
|
||||
case ASN_BIT_STR:
|
||||
vp->val.bitstring = (u_char *) malloc(vp->val_len);
|
||||
if (vp->val.bitstring == NULL) {
|
||||
- return -1;
|
||||
+ goto fail;
|
||||
}
|
||||
- p = asn_parse_bitstring(var_val, &len, &vp->type,
|
||||
+ asn_parse_bitstring(var_val, &len, &vp->type,
|
||||
vp->val.bitstring, &vp->val_len);
|
||||
- if (!p)
|
||||
- return -1;
|
||||
break;
|
||||
default:
|
||||
snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
|
||||
- badtype = -1;
|
||||
+ goto fail;
|
||||
break;
|
||||
}
|
||||
DEBUGINDENTADD(-4);
|
||||
- }
|
||||
- return badtype;
|
||||
+ if (NULL == vplast) {
|
||||
+ pdu->variables = vp;
|
||||
+ } else {
|
||||
+ vplast->next_variable = vp;
|
||||
+ }
|
||||
+ vplast = vp;
|
||||
+ vp = NULL;
|
||||
+ }
|
||||
+ return 0;
|
||||
+
|
||||
+ fail:
|
||||
+ DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
|
||||
+ /** if we were parsing a var, remove it from the pdu and free it */
|
||||
+ if (vp)
|
||||
+ snmp_free_var(vp);
|
||||
+
|
||||
+ return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
@ -11,7 +11,7 @@
|
|||
Summary: A collection of SNMP protocol tools and libraries
|
||||
Name: net-snmp
|
||||
Version: 5.7.3
|
||||
Release: 26%{?dist}
|
||||
Release: 27%{?dist}
|
||||
Epoch: 1
|
||||
|
||||
License: BSD
|
||||
|
|
@ -62,7 +62,7 @@ Patch17: net-snmp-5.7.3-mariadb102.patch
|
|||
# https://sourceforge.net/p/net-snmp/bugs/2792/attachment/0001-Link-libnetsnmptrapd-against-MYSQL_LIBS.patch
|
||||
# (rebased on 5.7.3)
|
||||
Patch18: 0001-Link-libnetsnmptrapd-against-MYSQL_LIBS.patch
|
||||
|
||||
Patch19: net-snmp-5.7.3-CVE-2018-1000116.patch
|
||||
# This patch fix issue with new OpenSLL library in rawhide (f26+)
|
||||
# !!!WARNING!!! DO NOT USE IT FOR OLDER FEDORA RELEASES (>f26)
|
||||
Patch100: net-snmp-5.7.3-openssl.patch
|
||||
|
|
@ -244,6 +244,7 @@ cp %{SOURCE12} .
|
|||
%patch16 -p1 -b .strtok-r
|
||||
%patch17 -p1 -b .mariadb102
|
||||
%patch18 -p1 -b .perlfix
|
||||
%patch19 -p1 -b .CVE-2018-1000116
|
||||
%patch100 -p1 -b .openssl
|
||||
%patch101 -p1 -b .modern-rpm-api
|
||||
|
||||
|
|
@ -553,6 +554,9 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Mar 08 2018 Josef Ridky <jridky@redhat.com> - 1:5.7.3-27
|
||||
- CVE-2018-1000116 Heap corruption in snmp_pdu_parse (#1552844)
|
||||
|
||||
* Fri Feb 16 2018 Josef Ridky <jridky@redhat.com> - 1:5.7.3-26
|
||||
- Fix issue in systemd patch (#1545946)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue