tags 894110 + patch
thanks
Hi,
> net-snmp: CVE-2018-1000116
I will upload to wheezy LTS in a few moments, but I have also prepared
a patch for jessie (attached).
Security team — do I have an ACK to upload to jessie-security?
Best wishes,
--
,''`.
: :' : Chris Lamb
`. `'` la...@debian.org / chris-lamb.co.uk
`-
--- net-snmp-5.7.2.1+dfsg.orig/snmplib/snmp_api.c
+++ net-snmp-5.7.2.1+dfsg/snmplib/snmp_api.c
@@ -4345,10 +4345,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
u_char type;
u_char msg_type;
u_char *var_val;
- int badtype = 0;
size_t len;
size_t four;
- netsnmp_variable_list *vp = NULL;
+ netsnmp_variable_list *vp = NULL, *vplast = NULL;
oid objid[MAX_OID_LEN];
/*
@@ -4356,7 +4355,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
*/
data = asn_parse_header(data, length, &msg_type);
if (data == NULL)
- return -1;
+ goto fail;
DEBUGMSGTL(("dumpv_recv"," Command %s\n", snmp_pdu_type(msg_type)));
pdu->command = msg_type;
pdu->flags &= (~UCD_MSG_FLAG_RESPONSE_PDU);
@@ -4487,38 +4486,23 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
(ASN_SEQUENCE | ASN_CONSTRUCTOR),
"varbinds");
if (data == NULL)
- return -1;
+ goto fail;
/*
* get each varBind sequence
*/
while ((int) *length > 0) {
- netsnmp_variable_list *vptemp;
- vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
- if (NULL == vptemp) {
- return -1;
- }
- if (NULL == vp) {
- pdu->variables = vptemp;
- } else {
- vp->next_variable = vptemp;
- }
- vp = vptemp;
-
- vp->next_variable = NULL;
- vp->val.string = NULL;
+ vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
+ if (NULL == vp)
+ goto fail;
vp->name_length = MAX_OID_LEN;
- vp->name = NULL;
- vp->index = 0;
- vp->data = NULL;
- vp->dataFreeHook = NULL;
DEBUGDUMPSECTION("recv", "VarBind");
data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
&vp->val_len, &var_val, length);
if (data == NULL)
- return -1;
+ goto fail;
if (snmp_set_var_objid(vp, objid, vp->name_length))
- return -1;
+ goto fail;
len = MAX_PACKET_LENGTH;
DEBUGDUMPHEADER("recv", "Value");
@@ -4583,7 +4567,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
vp->val.string = (u_char *) malloc(vp->val_len);
}
if (vp->val.string == NULL) {
- return -1;
+ goto fail;
}
asn_parse_string(var_val, &len, &vp->type, vp->val.string,
&vp->val_len);
@@ -4594,7 +4578,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
vp->val_len *= sizeof(oid);
vp->val.objid = (oid *) malloc(vp->val_len);
if (vp->val.objid == NULL) {
- return -1;
+ goto fail;
}
memmove(vp->val.objid, objid, vp->val_len);
break;
@@ -4606,19 +4590,34 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char
case ASN_BIT_STR:
vp->val.bitstring = (u_char *) malloc(vp->val_len);
if (vp->val.bitstring == NULL) {
- return -1;
+ goto fail;
}
asn_parse_bitstring(var_val, &len, &vp->type,
vp->val.bitstring, &vp->val_len);
break;
default:
snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
- badtype = -1;
+ goto fail;
break;
}
DEBUGINDENTADD(-4);
+ if (NULL == vplast) {
+ pdu->variables = vp;
+ } else {
+ vplast->next_variable = vp;
+ }
+ vplast = vp;
+ vp = NULL;
}
- return badtype;
+ return 0;
+
+ fail:
+ DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
+ /** if we were parsing a var, remove it from the pdu and free it */
+ if (vp)
+ snmp_free_var(vp);
+
+ return -1;
}
/*
