net-snmp/net-snmp-5.4.1-getbulk-crash.patch

CVE-2008-4309: net-snmp: numresponses calculation integer overflow in snmp_agent.c

Source: upstream, http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17272

Index: clean/agent/snmp_agent.c
===================================================================
--- clean.orig/agent/snmp_agent.c	2008-10-28 23:12:10.000000000 +0100
+++ clean/agent/snmp_agent.c	2008-10-28 23:15:11.000000000 +0100
@@ -2234,7 +2234,6 @@
             r = 0;
             asp->bulkcache = NULL;
         } else {
-            int numresponses;
             int           maxbulk =
                 netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
                                    NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
@@ -2245,28 +2244,31 @@
             if (maxresponses == 0)
                 maxresponses = 100;   /* more than reasonable default */
 
-            if (maxbulk == 0)
-                maxbulk = -1;
+            /* ensure that the total number of responses fits in a mallocable
+             * result vector
+             */
+            if (maxresponses < 0 ||
+                maxresponses > INT_MAX / sizeof(struct varbind_list *))
+                maxresponses = INT_MAX / sizeof(struct varbind_list *);
+
+            /* ensure that the maximum number of repetitions will fit in the
+             * result vector
+             */
+            if (maxbulk <= 0 || maxbulk > maxresponses / r)
+                maxbulk = maxresponses / r;
 
             /* limit getbulk number of repeats to a configured size */
-            if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
+            if (asp->pdu->errindex > maxbulk) {
                 asp->pdu->errindex = maxbulk;
-            }
-
-            numresponses = asp->pdu->errindex * r;
-
-            /* limit getbulk number of getbulk responses to a configured size */
-            if (maxresponses != -1 && numresponses > maxresponses) {
-                /* attempt to truncate this */
-                asp->pdu->errindex = maxresponses/r;
-                numresponses = asp->pdu->errindex * r;
-                DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
+                DEBUGMSGTL(("snmp_agent",
+                            "truncating number of getbulk repeats to %d\n",
+                            asp->pdu->errindex));
             }
 
             asp->bulkcache =
-                (netsnmp_variable_list **) malloc(numresponses *
-                                                  sizeof(struct
-                                                         varbind_list *));
+                (netsnmp_variable_list **) malloc(
+                    asp->pdu->errindex * r * sizeof(struct varbind_list *));
+
             if (!asp->bulkcache) {
                 DEBUGMSGTL(("snmp_agent", "Bulkcache malloc failed\n"));
                 return SNMP_ERR_GENERR;