From b2ce63191d7cc2281b76b5131e8d205e979b54c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josef=20=C5=98=C3=ADdk=C3=BD?= Date: Thu, 9 Apr 2020 13:33:50 +0200 Subject: [PATCH] Fix multiple issues found in net-snmp. - exit snmpd after snmpd -h command - fix issues found by coverity scan - fix issue with flood messages - fix double free or corruption error when freeing security context --- net-snmp-5.7.3-iterator-fix.patch | 16 ++-- net-snmp-5.8-coverity.patch | 68 ++++++++++++++ net-snmp-5.8-flood-messages.patch | 26 ++++++ net-snmp-5.8-sec-counter.patch | 146 ++++++++++++++++++++++++++++++ net-snmp-5.8-usage-exit.patch | 11 +++ net-snmp.spec | 18 +++- 6 files changed, 276 insertions(+), 9 deletions(-) create mode 100644 net-snmp-5.8-coverity.patch create mode 100644 net-snmp-5.8-flood-messages.patch create mode 100644 net-snmp-5.8-sec-counter.patch create mode 100644 net-snmp-5.8-usage-exit.patch diff --git a/net-snmp-5.7.3-iterator-fix.patch b/net-snmp-5.7.3-iterator-fix.patch index 1505ca9..fb34caf 100644 --- a/net-snmp-5.7.3-iterator-fix.patch +++ b/net-snmp-5.7.3-iterator-fix.patch @@ -1,14 +1,14 @@ diff -urNp old/agent/mibgroup/host/data_access/swrun.c new/agent/mibgroup/host/data_access/swrun.c ---- old/agent/mibgroup/host/data_access/swrun.c 2018-03-26 09:00:39.932335587 +0200 -+++ new/agent/mibgroup/host/data_access/swrun.c 2018-03-26 09:03:00.845876681 +0200 -@@ -102,7 +102,9 @@ swrun_count_processes_by_name( char *nam +--- old/agent/mibgroup/host/data_access/swrun.c 2017-07-18 09:44:00.626109526 +0200 ++++ new/agent/mibgroup/host/data_access/swrun.c 2017-07-19 15:27:50.452255836 +0200 +@@ -102,6 +102,10 @@ swrun_count_processes_by_name( char *nam return 0; /* or -1 */ it = CONTAINER_ITERATOR( swrun_container ); -- while ((entry = (netsnmp_swrun_entry*)ITERATOR_NEXT( it )) != NULL) { -+ for (entry = (netsnmp_swrun_entry*)ITERATOR_FIRST( it ); -+ entry; -+ entry = (netsnmp_swrun_entry*)ITERATOR_NEXT( it )) { ++ if((entry = (netsnmp_swrun_entry*)ITERATOR_FIRST( it )) != NULL) { ++ if (0 == strcmp( entry->hrSWRunName, name )) ++ i++; ++ } + while ((entry = (netsnmp_swrun_entry*)ITERATOR_NEXT( it )) != NULL) { if (0 == strcmp( entry->hrSWRunName, name )) i++; - } diff --git a/net-snmp-5.8-coverity.patch b/net-snmp-5.8-coverity.patch new file mode 100644 index 0000000..4d41b31 --- /dev/null +++ b/net-snmp-5.8-coverity.patch @@ -0,0 +1,68 @@ +diff -urNp a/agent/mibgroup/disman/event/mteTrigger.c b/agent/mibgroup/disman/event/mteTrigger.c +--- a/agent/mibgroup/disman/event/mteTrigger.c 2018-09-27 10:43:38.722444233 +0200 ++++ b/agent/mibgroup/disman/event/mteTrigger.c 2018-09-27 11:01:46.503253963 +0200 +@@ -1012,7 +1012,7 @@ mteTrigger_run( unsigned int reg, void * + * Similarly, if no fallEvent is configured, + * there's no point in trying to fire it either. + */ +- if (entry->mteTThRiseEvent[0] != '\0' ) { ++ if (entry->mteTThFallEvent[0] != '\0' ) { + entry->mteTriggerXOwner = entry->mteTThObjOwner; + entry->mteTriggerXObjects = entry->mteTThObjects; + entry->mteTriggerFired = vp1; +@@ -1105,7 +1105,7 @@ mteTrigger_run( unsigned int reg, void * + * Similarly, if no fallEvent is configured, + * there's no point in trying to fire it either. + */ +- if (entry->mteTThDRiseEvent[0] != '\0' ) { ++ if (entry->mteTThDFallEvent[0] != '\0' ) { + entry->mteTriggerXOwner = entry->mteTThObjOwner; + entry->mteTriggerXObjects = entry->mteTThObjects; + entry->mteTriggerFired = vp1; +diff -urNp a/agent/mibgroup/hardware/cpu/cpu_linux.c b/agent/mibgroup/hardware/cpu/cpu_linux.c +--- a/agent/mibgroup/hardware/cpu/cpu_linux.c 2018-09-27 10:43:38.697444449 +0200 ++++ b/agent/mibgroup/hardware/cpu/cpu_linux.c 2018-09-27 11:12:07.109024625 +0200 +@@ -122,6 +122,7 @@ int netsnmp_cpu_arch_load( netsnmp_cache + bsize = getpagesize()-1; + buff = (char*)malloc(bsize+1); + if (buff == NULL) { ++ close(statfd); + return -1; + } + } +diff -urNp a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c +--- a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c 2018-09-27 10:43:38.711444328 +0200 ++++ b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c 2018-09-27 11:16:45.532231535 +0200 +@@ -543,15 +543,18 @@ netsnmp_access_ipaddress_extra_prefix_in + status = send (sd, &req, req.nlhdr.nlmsg_len, 0); + if (status < 0) { + snmp_log(LOG_ERR, "could not send netlink request\n"); ++ close(sd); + return -1; + } + status = recv (sd, buf, sizeof(buf), 0); + if (status < 0) { + snmp_log (LOG_ERR, "could not recieve netlink request\n"); ++ close(sd); + return -1; + } + if (status == 0) { + snmp_log (LOG_ERR, "nothing to read\n"); ++ close(sd); + return -1; + } + for (nlmp = (struct nlmsghdr *)buf; status > sizeof(*nlmp); ){ +@@ -561,11 +564,13 @@ netsnmp_access_ipaddress_extra_prefix_in + + if (req_len < 0 || len > status) { + snmp_log (LOG_ERR, "invalid netlink message\n"); ++ close(sd); + return -1; + } + + if (!NLMSG_OK (nlmp, status)) { + snmp_log (LOG_ERR, "invalid NLMSG message\n"); ++ close(sd); + return -1; + } + rtmp = (struct ifaddrmsg *)NLMSG_DATA(nlmp); diff --git a/net-snmp-5.8-flood-messages.patch b/net-snmp-5.8-flood-messages.patch new file mode 100644 index 0000000..49e8e44 --- /dev/null +++ b/net-snmp-5.8-flood-messages.patch @@ -0,0 +1,26 @@ +From cd09fd82522861830aaf9d237b26eef5f9ba50d2 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 21 Nov 2018 20:47:42 -0800 +Subject: [PATCH] MIB-II: Only log once that opening /proc/net/if_inet6 failed + +If IPv6 has been disabled (ipv6.disable=1) then opening /proc/net/if_inet6 +fails. Only log this once instead of thousand of times a day. + +Reported-by: Fif +--- + agent/mibgroup/ip-mib/data_access/ipaddress_linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c +index 5ddead3e0..280575ce3 100644 +--- a/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c ++++ b/agent/mibgroup/ip-mib/data_access/ipaddress_linux.c +@@ -234,7 +234,7 @@ _load_v6(netsnmp_container *container, int idx_offset) + + #define PROCFILE "/proc/net/if_inet6" + if (!(in = fopen(PROCFILE, "r"))) { +- snmp_log_perror("ipaddress_linux: could not open " PROCFILE); ++ NETSNMP_LOGONCE((LOG_ERR, "ipaddress_linux: could not open " PROCFILE)); + return -2; + } + diff --git a/net-snmp-5.8-sec-counter.patch b/net-snmp-5.8-sec-counter.patch new file mode 100644 index 0000000..9514e5b --- /dev/null +++ b/net-snmp-5.8-sec-counter.patch @@ -0,0 +1,146 @@ +diff -urNp a/include/net-snmp/library/snmpusm.h b/include/net-snmp/library/snmpusm.h +--- a/include/net-snmp/library/snmpusm.h 2020-03-16 09:54:29.883655600 +0100 ++++ b/include/net-snmp/library/snmpusm.h 2020-03-16 09:55:24.142944520 +0100 +@@ -43,6 +43,7 @@ extern "C" { + * Structures. + */ + struct usmStateReference { ++ int refcnt; + char *usr_name; + size_t usr_name_length; + u_char *usr_engine_id; +diff -urNp a/snmplib/snmp_client.c b/snmplib/snmp_client.c +--- a/snmplib/snmp_client.c 2020-03-16 09:54:29.892655813 +0100 ++++ b/snmplib/snmp_client.c 2020-03-16 09:58:13.214021890 +0100 +@@ -402,27 +402,16 @@ _clone_pdu_header(netsnmp_pdu *pdu) + return NULL; + } + +- if (pdu->securityStateRef && +- pdu->command == SNMP_MSG_TRAP2) { +- +- ret = usm_clone_usmStateReference((struct usmStateReference *) pdu->securityStateRef, +- (struct usmStateReference **) &newpdu->securityStateRef ); +- +- if (ret) +- { ++ sptr = find_sec_mod(newpdu->securityModel); ++ if (sptr && sptr->pdu_clone) { ++ /* call security model if it needs to know about this */ ++ ret = sptr->pdu_clone(pdu, newpdu); ++ if (ret) { + snmp_free_pdu(newpdu); + return NULL; + } + } + +- if ((sptr = find_sec_mod(newpdu->securityModel)) != NULL && +- sptr->pdu_clone != NULL) { +- /* +- * call security model if it needs to know about this +- */ +- (*sptr->pdu_clone) (pdu, newpdu); +- } +- + return newpdu; + } + +diff -urNp a/snmplib/snmpusm.c b/snmplib/snmpusm.c +--- a/snmplib/snmpusm.c 2020-03-16 09:54:29.894655860 +0100 ++++ b/snmplib/snmpusm.c 2020-03-16 10:03:38.870027530 +0100 +@@ -285,43 +285,64 @@ free_enginetime_on_shutdown(int majorid, + struct usmStateReference * + usm_malloc_usmStateReference(void) + { +- struct usmStateReference *retval = (struct usmStateReference *) +- calloc(1, sizeof(struct usmStateReference)); ++ struct usmStateReference *retval; ++ ++ retval = calloc(1, sizeof(struct usmStateReference)); ++ if (retval) ++ retval->refcnt = 1; + + return retval; + } /* end usm_malloc_usmStateReference() */ + ++static int ++usm_clone(netsnmp_pdu *pdu, netsnmp_pdu *new_pdu) ++{ ++ struct usmStateReference *ref = pdu->securityStateRef; ++ struct usmStateReference **new_ref = ++ (struct usmStateReference **)&new_pdu->securityStateRef; ++ int ret = 0; ++ ++ if (!ref) ++ return ret; ++ ++ if (pdu->command == SNMP_MSG_TRAP2) { ++ netsnmp_assert(pdu->securityModel == SNMP_DEFAULT_SECMODEL); ++ ret = usm_clone_usmStateReference(ref, new_ref); ++ } else { ++ netsnmp_assert(ref == *new_ref); ++ ref->refcnt++; ++ } ++ ++ return ret; ++} ++ + + void + usm_free_usmStateReference(void *old) + { +- struct usmStateReference *old_ref = (struct usmStateReference *) old; ++ struct usmStateReference *ref = old; + +- if (old_ref) { ++ if (!ref) ++ return; + +- if (old_ref->usr_name_length) +- SNMP_FREE(old_ref->usr_name); +- if (old_ref->usr_engine_id_length) +- SNMP_FREE(old_ref->usr_engine_id); +- if (old_ref->usr_auth_protocol_length) +- SNMP_FREE(old_ref->usr_auth_protocol); +- if (old_ref->usr_priv_protocol_length) +- SNMP_FREE(old_ref->usr_priv_protocol); +- +- if (old_ref->usr_auth_key_length && old_ref->usr_auth_key) { +- SNMP_ZERO(old_ref->usr_auth_key, old_ref->usr_auth_key_length); +- SNMP_FREE(old_ref->usr_auth_key); +- } +- if (old_ref->usr_priv_key_length && old_ref->usr_priv_key) { +- SNMP_ZERO(old_ref->usr_priv_key, old_ref->usr_priv_key_length); +- SNMP_FREE(old_ref->usr_priv_key); +- } ++ if (--ref->refcnt > 0) ++ return; + +- SNMP_ZERO(old_ref, sizeof(*old_ref)); +- SNMP_FREE(old_ref); ++ SNMP_FREE(ref->usr_name); ++ SNMP_FREE(ref->usr_engine_id); ++ SNMP_FREE(ref->usr_auth_protocol); ++ SNMP_FREE(ref->usr_priv_protocol); + ++ if (ref->usr_auth_key_length && ref->usr_auth_key) { ++ SNMP_ZERO(ref->usr_auth_key, ref->usr_auth_key_length); ++ SNMP_FREE(ref->usr_auth_key); ++ } ++ if (ref->usr_priv_key_length && ref->usr_priv_key) { ++ SNMP_ZERO(ref->usr_priv_key, ref->usr_priv_key_length); ++ SNMP_FREE(ref->usr_priv_key); + } + ++ SNMP_FREE(ref); + } /* end usm_free_usmStateReference() */ + + struct usmUser * +@@ -3316,6 +3337,7 @@ init_usm(void) + def->encode_reverse = usm_secmod_rgenerate_out_msg; + def->encode_forward = usm_secmod_generate_out_msg; + def->decode = usm_secmod_process_in_msg; ++ def->pdu_clone = usm_clone; + def->pdu_free_state_ref = usm_free_usmStateReference; + def->session_setup = usm_session_init; + def->handle_report = usm_handle_report; diff --git a/net-snmp-5.8-usage-exit.patch b/net-snmp-5.8-usage-exit.patch new file mode 100644 index 0000000..38b80ac --- /dev/null +++ b/net-snmp-5.8-usage-exit.patch @@ -0,0 +1,11 @@ +diff -urNp a/agent/snmpd.c b/agent/snmpd.c +--- a/agent/snmpd.c 2018-10-04 10:34:10.939728847 +0200 ++++ b/agent/snmpd.c 2018-10-04 10:34:43.910625603 +0200 +@@ -325,6 +325,7 @@ usage(char *prog) + " -S d|i|0-7\t\tuse -Ls instead\n" + "\n" + ); ++ exit(1); + } + + static void diff --git a/net-snmp.spec b/net-snmp.spec index c42ec3e..1bbe1b0 100644 --- a/net-snmp.spec +++ b/net-snmp.spec @@ -10,7 +10,7 @@ Summary: A collection of SNMP protocol tools and libraries Name: net-snmp Version: 5.8 -Release: 18%{?dist} +Release: 19%{?dist} Epoch: 1 License: BSD @@ -46,6 +46,10 @@ Patch16: net-snmp-5.8-licensing.patch Patch17: net-snmp-5.8-agent-of-death.patch Patch18: net-snmp-5.8-trapsink.patch Patch19: net-snmp-5.8-v3-forward.patch +Patch20: net-snmp-5.8-usage-exit.patch +Patch21: net-snmp-5.8-coverity.patch +Patch22: net-snmp-5.8-flood-messages.patch +Patch23: net-snmp-5.8-sec-counter.patch # Modern RPM API means at least EL6 Patch101: net-snmp-5.8-modern-rpm-api.patch @@ -230,6 +234,12 @@ cp %{SOURCE10} . %patch17 -p1 -b .agent-of-death %patch18 -p1 -b .trapsink %patch19 -p1 -b .v3-forward +%patch20 -p1 -b .usage-fix +%patch21 -p1 -b .coverity +%patch22 -p1 -b .flood-messages +%patch23 -p1 -b .sec-counter + + %patch101 -p1 -b .modern-rpm-api %patch102 -p1 @@ -497,6 +507,12 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test %{_libdir}/libnetsnmptrapd*.so.%{soname}* %changelog +* Thu Apr 09 2020 Josef Ridky -1:5.8-19 +- exit snmpd after snmpd -h command +- fix issues found by coverity scan +- fix issue with flood messages +- fix double free or corruption error when freeing security context + * Tue Mar 24 2020 Petr Pisar - 1:5.8-18 - Build-require Perl dependencies for running the tests