[Pkg-net-snmp-commits] r261 - branches/net-snmp54/debian/patches

Mon Nov 3 16:54:30 UTC 2008

Author: jochen
Date: 2008-11-03 16:54:30 +0000 (Mon, 03 Nov 2008)
New Revision: 261

Added:
   branches/net-snmp54/debian/patches/55_cve2008_4309.README
   branches/net-snmp54/debian/patches/55_cve2008_4309.patch
Log:
Add upstream changeset 17292 to fix the getbulk issue CVE-2008-4309


Added: branches/net-snmp54/debian/patches/55_cve2008_4309.README
===================================================================

--- branches/net-snmp54/debian/patches/55_cve2008_4309.README	                        (rev 0)
+++ branches/net-snmp54/debian/patches/55_cve2008_4309.README	2008-11-03 16:54:30 UTC (rev 261)
@@ -0,0 +1,2 @@
+Upstream changeset 17292: Fix for CVE-2008-4309.
+NEWS: snmpd: Applying patch from Magnus Fromreide to fix the getbulk issue reported by Oscar Mira-Sanchez

Added: branches/net-snmp54/debian/patches/55_cve2008_4309.patch
===================================================================
--- branches/net-snmp54/debian/patches/55_cve2008_4309.patch	                        (rev 0)
+++ branches/net-snmp54/debian/patches/55_cve2008_4309.patch	2008-11-03 16:54:30 UTC (rev 261)
@@ -0,0 +1,60 @@
+Index: agent/snmp_agent.c
+===================================================================
+--- net-snmp-5.4.1.orig/agent/snmp_agent.c	(Revision 17291)
++++ net-snmp-5.4.1/agent/snmp_agent.c	(Revision 17292)
+@@ -2174,7 +2174,6 @@
+             r = 0;
+             asp->bulkcache = NULL;
+         } else {
+-            int numresponses;
+             int           maxbulk =
+                 netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
+                                    NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
+@@ -2185,28 +2184,31 @@
+             if (maxresponses == 0)
+                 maxresponses = 100;   /* more than reasonable default */
+ 
+-            if (maxbulk == 0)
+-                maxbulk = -1;
++            /* ensure that the total number of responses fits in a mallocable
++             * result vector
++             */
++            if (maxresponses < 0 ||
++                maxresponses > INT_MAX / sizeof(struct varbind_list *))
++                maxresponses = INT_MAX / sizeof(struct varbind_list *);
+ 
++            /* ensure that the maximum number of repetitions will fit in the
++             * result vector
++             */
++            if (maxbulk <= 0 || maxbulk > maxresponses / r)
++                maxbulk = maxresponses / r;
++
+             /* limit getbulk number of repeats to a configured size */
+-            if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
++            if (asp->pdu->errindex > maxbulk) {
+                 asp->pdu->errindex = maxbulk;
++                DEBUGMSGTL(("snmp_agent",
++                            "truncating number of getbulk repeats to %d\n",
++                            asp->pdu->errindex));
+             }
+ 
+-            numresponses = asp->pdu->errindex * r;
++            asp->bulkcache =
++                (netsnmp_variable_list **) malloc(
++                    asp->pdu->errindex * r * sizeof(struct varbind_list *));
+ 
+-            /* limit getbulk number of getbulk responses to a configured size */
+-            if (maxresponses != -1 && numresponses > maxresponses) {
+-                /* attempt to truncate this */
+-                asp->pdu->errindex = maxresponses/r;
+-                numresponses = asp->pdu->errindex * r;
+-                DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
+-            }
+-
+-            asp->bulkcache =
+-                (netsnmp_variable_list **) malloc(numresponses *
+-                                                  sizeof(struct
+-                                                         varbind_list *));
+             if (!asp->bulkcache) {
+                 DEBUGMSGTL(("snmp_agent", "Bulkcache malloc failed\n"));
+                 return SNMP_ERR_GENERR;


