Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 10 Aug 2015 02:15:53 +0000 (UTC)
From:      Ryan Steinmetz <zi@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r393838 - in head/net-mgmt/net-snmp: . files
Message-ID:  <201508100215.t7A2FrMv066401@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: zi
Date: Mon Aug 10 02:15:52 2015
New Revision: 393838
URL: https://svnweb.freebsd.org/changeset/ports/393838

Log:
  - Fix CVE-2015-5621
  - Bump PORTREVISION
  
  PR:		202099
  Submitted by:	serg@tmn.ru

Added:
  head/net-mgmt/net-snmp/files/patch-snmplib_snmp__api.c   (contents, props changed)
Modified:
  head/net-mgmt/net-snmp/Makefile

Modified: head/net-mgmt/net-snmp/Makefile
==============================================================================
--- head/net-mgmt/net-snmp/Makefile	Mon Aug 10 01:51:59 2015	(r393837)
+++ head/net-mgmt/net-snmp/Makefile	Mon Aug 10 02:15:52 2015	(r393838)
@@ -3,7 +3,7 @@
 
 PORTNAME=	snmp
 PORTVERSION=	5.7.3
-PORTREVISION=	7
+PORTREVISION=	8
 CATEGORIES=	net-mgmt ipv6
 MASTER_SITES=	SF/net-${PORTNAME}/net-${PORTNAME}/${PORTVERSION}
 PKGNAMEPREFIX=	net-

Added: head/net-mgmt/net-snmp/files/patch-snmplib_snmp__api.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/net-mgmt/net-snmp/files/patch-snmplib_snmp__api.c	Mon Aug 10 02:15:52 2015	(r393838)
@@ -0,0 +1,117 @@
+--- snmplib/snmp_api.c.orig	2014-12-08 20:23:22 UTC
++++ snmplib/snmp_api.c
+@@ -4350,10 +4350,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char 
+     u_char          type;
+     u_char          msg_type;
+     u_char         *var_val;
+-    int             badtype = 0;
+     size_t          len;
+     size_t          four;
+-    netsnmp_variable_list *vp = NULL;
++    netsnmp_variable_list *vp = NULL, *vplast = NULL;
+     oid             objid[MAX_OID_LEN];
+     u_char         *p;
+ 
+@@ -4493,38 +4492,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char 
+                               (ASN_SEQUENCE | ASN_CONSTRUCTOR),
+                               "varbinds");
+     if (data == NULL)
+-        return -1;
++        goto fail;
+ 
+     /*
+      * get each varBind sequence 
+      */
+     while ((int) *length > 0) {
+-        netsnmp_variable_list *vptemp;
+-        vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp));
+-        if (NULL == vptemp) {
+-            return -1;
+-        }
+-        if (NULL == vp) {
+-            pdu->variables = vptemp;
+-        } else {
+-            vp->next_variable = vptemp;
+-        }
+-        vp = vptemp;
++	vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list);
++	if (NULL == vp)
++	    goto fail;
+ 
+-        vp->next_variable = NULL;
+-        vp->val.string = NULL;
+         vp->name_length = MAX_OID_LEN;
+-        vp->name = NULL;
+-        vp->index = 0;
+-        vp->data = NULL;
+-        vp->dataFreeHook = NULL;
+         DEBUGDUMPSECTION("recv", "VarBind");
+         data = snmp_parse_var_op(data, objid, &vp->name_length, &vp->type,
+                                  &vp->val_len, &var_val, length);
+         if (data == NULL)
+-            return -1;
++            goto fail;
+         if (snmp_set_var_objid(vp, objid, vp->name_length))
+-            return -1;
++            goto fail;
+ 
+         len = MAX_PACKET_LENGTH;
+         DEBUGDUMPHEADER("recv", "Value");
+@@ -4604,7 +4589,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char 
+                 vp->val.string = (u_char *) malloc(vp->val_len);
+             }
+             if (vp->val.string == NULL) {
+-                return -1;
++                goto fail;
+             }
+             p = asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+                              &vp->val_len);
+@@ -4619,7 +4604,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char 
+             vp->val_len *= sizeof(oid);
+             vp->val.objid = (oid *) malloc(vp->val_len);
+             if (vp->val.objid == NULL) {
+-                return -1;
++                goto fail;
+             }
+             memmove(vp->val.objid, objid, vp->val_len);
+             break;
+@@ -4631,7 +4616,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char 
+         case ASN_BIT_STR:
+             vp->val.bitstring = (u_char *) malloc(vp->val_len);
+             if (vp->val.bitstring == NULL) {
+-                return -1;
++                goto fail;
+             }
+             p = asn_parse_bitstring(var_val, &len, &vp->type,
+                                 vp->val.bitstring, &vp->val_len);
+@@ -4640,12 +4625,28 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char 
+             break;
+         default:
+             snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
+-            badtype = -1;
++            goto fail;
+             break;
+         }
+         DEBUGINDENTADD(-4);
++
++	if (NULL == vplast) {
++	    pdu->variables = vp;
++	} else {
++	    vplast->next_variable = vp;
++	}
++	vplast = vp;
++	vp = NULL;
+     }
+-    return badtype;
++    return 0;
++
++  fail:
++    DEBUGMSGTL(("recv", "error while parsing VarBindList\n"));
++    /** if we were parsing a var, remove it from the pdu and free it */
++    if (vp)
++	snmp_free_var(vp);
++
++     return -1;
+ }
+ 
+ /*



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201508100215.t7A2FrMv066401>