← Back to branch summary

~ubuntu-branches/ubuntu/wily/net-snmp/wily-proposed

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2014-2284.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2014-04-08 08:17:14 UTC
  • Revision ID: package-import@ubuntu.com-20140408081714-31du0g3p3ggkwe9o
Tags: 5.7.2~dfsg-8.1ubuntu3
* SECURITY UPDATE: denial of service via AgentX subagent timeout
  - debian/patches/CVE-2012-6151.patch: track cancelled sessions in
    agent/mibgroup/agentx/{master.c,master_admin.c}, agent/snmp_agent.c,
    include/net-snmp/agent/snmp_agent.h.
  - CVE-2012-6151
* SECURITY UPDATE: denial of service when ICMP-MIB is in use
  - debian/patches/CVE-2014-2284.patch: fix ICMP mib table handling in
    agent/mibgroup/mibII/icmp.c, agent/mibgroup/mibII/kernel_linux.*.
  - CVE-2014-2284
* SECURITY UPDATE: denial of service in perl trap handler
  - debian/patches/CVE-2014-2285.patch: handle empty community string in
    perl/TrapReceiver/TrapReceiver.xs.
  - CVE-2014-2285

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/CVE-2014-2284.patch
 
1
commit a1fd64716f6794c55c34d77e618210238a73bfa1
 
2
Author: Wes Hardaker <hardaker@users.sourceforge.net>
 
3
Date:   Wed Feb 19 15:21:57 2014 -0800
 
4
 
 
5
    bug fix from fenner: fix ICMP mib table handling on linux
 
6
 
 
7
Index: net-snmp-5.7.2~dfsg/agent/mibgroup/mibII/icmp.c
 
8
===================================================================
 
9
--- net-snmp-5.7.2~dfsg.orig/agent/mibgroup/mibII/icmp.c        2014-03-11 09:17:48.404183162 -0400
 
10
+++ net-snmp-5.7.2~dfsg/agent/mibgroup/mibII/icmp.c     2014-03-11 09:17:48.396183162 -0400
 
11
@@ -106,10 +106,20 @@
 
12
         int flags;
 
13
 };
 
14
 
 
15
+#ifdef linux
 
16
+/* Linux keeps track of all possible message types */
 
17
+#define ICMP_MSG_STATS_IPV4_COUNT 256
 
18
+#else
 
19
 #define ICMP_MSG_STATS_IPV4_COUNT 11
 
20
+#endif
 
21
 
 
22
 #ifdef NETSNMP_ENABLE_IPV6
 
23
+#ifdef linux
 
24
+/* Linux keeps track of all possible message types */
 
25
+#define ICMP_MSG_STATS_IPV6_COUNT 256
 
26
+#else
 
27
 #define ICMP_MSG_STATS_IPV6_COUNT 14
 
28
+#endif
 
29
 #else
 
30
 #define ICMP_MSG_STATS_IPV6_COUNT 0
 
31
 #endif /* NETSNMP_ENABLE_IPV6 */
 
32
@@ -177,7 +187,7 @@
 
33
     inc = 0;
 
34
     linux_read_icmp_msg_stat(&v4icmp, &v4icmpmsg, &flag);
 
35
     if (flag) {
 
36
-        while (254 != k) {
 
37
+        while (255 >= k) {
 
38
             if (v4icmpmsg.vals[k].InType) {
 
39
                 icmp_msg_stats_table[i].ipVer = 1;
 
40
                 icmp_msg_stats_table[i].icmpMsgStatsType = k;
 
41
@@ -267,7 +277,7 @@
 
42
     inc = 0;
 
43
     linux_read_icmp6_msg_stat(&v6icmp, &v6icmpmsg, &flag);
 
44
     if (flag) {
 
45
-        while (254 != k) {
 
46
+        while (255 >= k) {
 
47
             if (v6icmpmsg.vals[k].InType) {
 
48
                 icmp_msg_stats_table[i].ipVer = 2;
 
49
                 icmp_msg_stats_table[i].icmpMsgStatsType = k;
 
50
@@ -1050,6 +1060,12 @@
 
51
                                        continue;
 
52
                                table_info = netsnmp_extract_table_info(request);
 
53
                                subid      = table_info->colnum;
 
54
+                               DEBUGMSGTL(( "mibII/icmpStatsTable", "oid: " ));
 
55
+                               DEBUGMSGOID(( "mibII/icmpStatsTable", request->requestvb->name,
 
56
+                                                request->requestvb->name_length ));
 
57
+                               DEBUGMSG(( "mibII/icmpStatsTable", " In %d InErr %d Out %d OutErr %d\n",
 
58
+                                             entry->icmpStatsInMsgs, entry->icmpStatsInErrors,
 
59
+                                             entry->icmpStatsOutMsgs, entry->icmpStatsOutErrors ));
 
60
 
 
61
                                switch (subid) {
 
62
                                        case ICMP_STAT_INMSG:
 
63
@@ -1117,6 +1133,11 @@
 
64
                     continue;
 
65
                 table_info = netsnmp_extract_table_info(request);
 
66
                 subid = table_info->colnum;
 
67
+                DEBUGMSGTL(( "mibII/icmpMsgStatsTable", "oid: " ));
 
68
+                DEBUGMSGOID(( "mibII/icmpMsgStatsTable", request->requestvb->name,
 
69
+                                 request->requestvb->name_length ));
 
70
+                DEBUGMSG(( "mibII/icmpMsgStatsTable", " In %d Out %d Flags 0x%x\n",
 
71
+                                 entry->icmpMsgStatsInPkts, entry->icmpMsgStatsOutPkts, entry->flags ));
 
72
 
 
73
                 switch (subid) {
 
74
                     case ICMP_MSG_STAT_IN_PKTS:
 
75
Index: net-snmp-5.7.2~dfsg/agent/mibgroup/mibII/kernel_linux.c
 
76
===================================================================
 
77
--- net-snmp-5.7.2~dfsg.orig/agent/mibgroup/mibII/kernel_linux.c        2014-03-11 09:17:48.404183162 -0400
 
78
+++ net-snmp-5.7.2~dfsg/agent/mibgroup/mibII/kernel_linux.c     2014-03-11 09:17:48.396183162 -0400
 
79
@@ -81,9 +81,9 @@
 
80
             index = strtol(token, &delim, 0);
 
81
             if (ERANGE == errno) {
 
82
                 continue;
 
83
-            } else if (index > LONG_MAX) {
 
84
+            } else if (index > 255) {
 
85
                 continue;
 
86
-            } else if (index < LONG_MIN) {
 
87
+            } else if (index < 0) {
 
88
                 continue;
 
89
             }
 
90
             if (NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
 
91
@@ -94,9 +94,9 @@
 
92
             index = strtol(token, &delim, 0);
 
93
             if (ERANGE == errno) {
 
94
                 continue;
 
95
-            } else if (index > LONG_MAX) {
 
96
+            } else if (index > 255) {
 
97
                 continue;
 
98
-            } else if (index < LONG_MIN) {
 
99
+            } else if (index < 0) {
 
100
                 continue;
 
101
             }
 
102
             if(NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
 
103
@@ -426,14 +426,21 @@
 
104
 
 
105
         vals = name;
 
106
         if (NULL != icmp6msgstat) {
 
107
+            int type;
 
108
             if (0 == strncmp(name, "Icmp6OutType", 12)) {
 
109
                 strsep(&vals, "e");
 
110
-                icmp6msgstat->vals[atoi(vals)].OutType = stats;
 
111
+                type = atoi(vals);
 
112
+                if ( type < 0 || type > 255 )
 
113
+                    continue;
 
114
+                icmp6msgstat->vals[type].OutType = stats;
 
115
                 *support = 1;
 
116
                 continue;
 
117
             } else if (0 == strncmp(name, "Icmp6InType", 11)) {
 
118
                 strsep(&vals, "e");
 
119
-                icmp6msgstat->vals[atoi(vals)].InType = stats;
 
120
+                type = atoi(vals);
 
121
+                if ( type < 0 || type > 255 )
 
122
+                    continue;
 
123
+                icmp6msgstat->vals[type].InType = stats;
 
124
                 *support = 1;
 
125
                 continue;
 
126
             }
 
127
Index: net-snmp-5.7.2~dfsg/agent/mibgroup/mibII/kernel_linux.h
 
128
===================================================================
 
129
--- net-snmp-5.7.2~dfsg.orig/agent/mibgroup/mibII/kernel_linux.h        2014-03-11 09:17:48.404183162 -0400
 
130
+++ net-snmp-5.7.2~dfsg/agent/mibgroup/mibII/kernel_linux.h     2014-03-11 09:17:48.396183162 -0400
 
131
@@ -121,11 +121,11 @@
 
132
 
 
133
 /* Lets use wrapper structures for future expansion */
 
134
 struct icmp4_msg_mib {
 
135
-    struct icmp_msg_mib vals[255];
 
136
+    struct icmp_msg_mib vals[256];
 
137
 };
 
138
 
 
139
 struct icmp6_msg_mib {
 
140
-    struct icmp_msg_mib vals[255];
 
141
+    struct icmp_msg_mib vals[256];
 
142
 };
 
143
 
 
144
 struct udp_mib {