From owner-svn-src-stable@freebsd.org  Sat Jan  7 08:47:28 2017
Return-Path: <owner-svn-src-stable@freebsd.org>
Delivered-To: svn-src-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CEAA1CA31E4;
 Sat,  7 Jan 2017 08:47:28 +0000 (UTC)
 (envelope-from ngie@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id ABB1F127C;
 Sat,  7 Jan 2017 08:47:28 +0000 (UTC)
 (envelope-from ngie@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v078lRWH081788;
 Sat, 7 Jan 2017 08:47:27 GMT (envelope-from ngie@FreeBSD.org)
Received: (from ngie@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v078lRGX081785;
 Sat, 7 Jan 2017 08:47:27 GMT (envelope-from ngie@FreeBSD.org)
Message-Id: <201701070847.v078lRGX081785@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ngie set sender to
 ngie@FreeBSD.org using -f
From: Ngie Cooper <ngie@FreeBSD.org>
Date: Sat, 7 Jan 2017 08:47:27 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org
Subject: svn commit: r311596 - stable/11/contrib/bsnmp/snmpd
X-SVN-Group: stable-11
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-stable@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for all the -stable branches of the src tree
 <svn-src-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-stable>, 
 <mailto:svn-src-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-stable/>
List-Post: <mailto:svn-src-stable@freebsd.org>
List-Help: <mailto:svn-src-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-stable>,
 <mailto:svn-src-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Jan 2017 08:47:28 -0000

Author: ngie
Date: Sat Jan  7 08:47:27 2017
New Revision: 311596
URL: https://svnweb.freebsd.org/changeset/base/311596

Log:
  MFC r310957,r310958,r310960:
  
  r310957:
  
  Use strlcpy when copying `com` to pdu->community to avoid potential
  buffer overruns
  
  CID:		1006823, 1006824
  
  r310958:
  
  Initialize ret to SNMPD_INPUT_OK at the top of snmp_input_start(..) to
  avoid returning an uninitialized value
  
  There are some really complicated, snakey if-statements combined with
  switch statements that could result in an invalid value being returned
  as `ret`
  
  CID:		1006551
  
  r310960:
  
  Similar to r310954, set .len to 0 on malloc failure and to `len` only
  on success

Modified:
  stable/11/contrib/bsnmp/snmpd/export.c
  stable/11/contrib/bsnmp/snmpd/main.c
  stable/11/contrib/bsnmp/snmpd/trap.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/bsnmp/snmpd/export.c
==============================================================================
--- stable/11/contrib/bsnmp/snmpd/export.c	Sat Jan  7 08:46:16 2017	(r311595)
+++ stable/11/contrib/bsnmp/snmpd/export.c	Sat Jan  7 08:47:27 2017	(r311596)
@@ -114,9 +114,11 @@ string_get(struct snmp_value *value, con
 	}
 	if (len == -1)
 		len = strlen(ptr);
-	value->v.octetstring.len = (u_long)len;
-	if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL)
+	if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) {
+		value->v.octetstring.len = 0;
 		return (SNMP_ERR_RES_UNAVAIL);
+	}
+	value->v.octetstring.len = (u_long)len;
 	memcpy(value->v.octetstring.octets, ptr, (size_t)len);
 	return (SNMP_ERR_NOERROR);
 }
@@ -138,9 +140,11 @@ string_get_max(struct snmp_value *value,
 		len = strlen(ptr);
 	if ((size_t)len > maxlen)
 		len = maxlen;
-	value->v.octetstring.len = (u_long)len;
-	if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL)
+	if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) {
+		value->v.octetstring.len = 0;
 		return (SNMP_ERR_RES_UNAVAIL);
+	}
+	value->v.octetstring.len = (u_long)len;
 	memcpy(value->v.octetstring.octets, ptr, (size_t)len);
 	return (SNMP_ERR_NOERROR);
 }

Modified: stable/11/contrib/bsnmp/snmpd/main.c
==============================================================================
--- stable/11/contrib/bsnmp/snmpd/main.c	Sat Jan  7 08:46:16 2017	(r311595)
+++ stable/11/contrib/bsnmp/snmpd/main.c	Sat Jan  7 08:47:27 2017	(r311596)
@@ -492,6 +492,8 @@ snmp_input_start(const u_char *buf, size
 	b.asn_cptr = buf;
 	b.asn_len = len;
 
+	ret = SNMPD_INPUT_OK;
+
 	/* look whether we have enough bytes for the entire PDU. */
 	switch (sret = snmp_pdu_snoop(&b)) {
 
@@ -520,8 +522,6 @@ snmp_input_start(const u_char *buf, size
 	}
 	code = snmp_pdu_decode_scoped(&b, pdu, ip);
 
-	ret = SNMPD_INPUT_OK;
-
 decoded:
 	snmpd_stats.inPkts++;
 

Modified: stable/11/contrib/bsnmp/snmpd/trap.c
==============================================================================
--- stable/11/contrib/bsnmp/snmpd/trap.c	Sat Jan  7 08:46:16 2017	(r311595)
+++ stable/11/contrib/bsnmp/snmpd/trap.c	Sat Jan  7 08:47:27 2017	(r311596)
@@ -422,7 +422,7 @@ snmp_create_v1_trap(struct snmp_pdu *pdu
     const struct asn_oid *trap_oid)
 {
 	memset(pdu, 0, sizeof(*pdu));
-	strcpy(pdu->community, com);
+	strlcpy(pdu->community, com, sizeof(pdu->community));
 
 	pdu->version = SNMP_V1;
 	pdu->type = SNMP_PDU_TRAP;
@@ -439,7 +439,7 @@ snmp_create_v2_trap(struct snmp_pdu *pdu
     const struct asn_oid *trap_oid)
 {
 	memset(pdu, 0, sizeof(*pdu));
-	strcpy(pdu->community, com);
+	strlcpy(pdu->community, com, sizeof(pdu->community));
 
 	pdu->version = SNMP_V2c;
 	pdu->type = SNMP_PDU_TRAP2;