From 2e83661a473e0267a828f1013ed08fca78dddbdd Mon Sep 17 00:00:00 2001 From: spz Date: Sun, 26 Jan 2014 21:33:06 +0000 Subject: patch (in 4 parts) for CVE-2012-6151 from http://sourceforge.net/p/net-snmp/patches/_discuss/thread/36675011/e98b/attachment/alt-cancel-next-walk-v2.patch --- net/net-snmp/Makefile | 4 +- net/net-snmp/distinfo | 6 +- .../patches/patch-agent_mibgroup_agentx_master.c | 31 +++++ .../patch-agent_mibgroup_agentx_master_admin.c | 15 ++ net/net-snmp/patches/patch-agent_snmp__agent.c | 151 +++++++++++++++++++++ .../patch-include_net-snmp_agent_snmp__agent.h | 33 +++++ 6 files changed, 237 insertions(+), 3 deletions(-) create mode 100644 net/net-snmp/patches/patch-agent_mibgroup_agentx_master.c create mode 100644 net/net-snmp/patches/patch-agent_mibgroup_agentx_master_admin.c create mode 100644 net/net-snmp/patches/patch-agent_snmp__agent.c create mode 100644 net/net-snmp/patches/patch-include_net-snmp_agent_snmp__agent.h (limited to 'net/net-snmp') diff --git a/net/net-snmp/Makefile b/net/net-snmp/Makefile index 825a2262099..4fa8d3d0c1c 100644 --- a/net/net-snmp/Makefile +++ b/net/net-snmp/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.99 2013/11/05 17:40:30 joerg Exp $ +# $NetBSD: Makefile,v 1.100 2014/01/26 21:33:06 spz Exp $ DISTNAME= net-snmp-5.7.2 -PKGREVISION= 4 +PKGREVISION= 5 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=net-snmp/} diff --git a/net/net-snmp/distinfo b/net/net-snmp/distinfo index 49a9aaa65ac..6c6b715d0ec 100644 --- a/net/net-snmp/distinfo +++ b/net/net-snmp/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.79 2013/11/29 12:59:51 joerg Exp $ +$NetBSD: distinfo,v 1.80 2014/01/26 21:33:06 spz Exp $ SHA1 (net-snmp-5.7.2.tar.gz) = c493027907f32400648244d81117a126aecd27ee RMD160 (net-snmp-5.7.2.tar.gz) = 392d643e9f2f42ee4fa688b4702329ad005ee12e @@ -6,6 +6,8 @@ Size (net-snmp-5.7.2.tar.gz) = 6281352 bytes SHA1 (patch-ac) = 59987ecb9467b1cead9af3d4432a4dd69be93480 SHA1 (patch-af) = 4fb96b79f9126dedb8a132d44894ea23c9e8c101 SHA1 (patch-ag) = d9595eceeb5ee986ab4365f62e3c3ab339e605aa +SHA1 (patch-agent_mibgroup_agentx_master.c) = c2b3f145280e3fecc26a431ec914cf89d87a17f4 +SHA1 (patch-agent_mibgroup_agentx_master_admin.c) = 3c233c1e3113fbc9c1de34cb4cbacca9ef4a6fe2 SHA1 (patch-agent_mibgroup_hardware_cpu_cpu__sysctl.c) = 346bb4cb0e905821aa3bbdda4ae0fd8526d35854 SHA1 (patch-agent_mibgroup_hardware_fsys_fsys_getfsstats.c) = 7fc48c58c8f5bc73caaf3990ef61a94fb856e208 SHA1 (patch-agent_mibgroup_hardware_memory_memory__netbsd.c) = f04d66f823bf2b49401e6d9a62db4b39ed679907 @@ -14,6 +16,7 @@ SHA1 (patch-agent_mibgroup_mibII_ipAddr.c) = cd3345a4b30fe2280d0555ee38feb5f957a SHA1 (patch-agent_mibgroup_mibII_ipv6.c) = d6a271145e6ba774cbc1e93caa14e3d22dc43075 SHA1 (patch-agent_mibgroup_mibII_tcpTable.c) = f547f3fd08848803cbf7ce08a41ba463c4d02992 SHA1 (patch-agent_mibgroup_mibII_udpTable.c) = 2eb5e5c05ecb23f69cbb0d38a31e14d5b5ddc6b7 +SHA1 (patch-agent_snmp__agent.c) = 2dbfea907d0e1881f5d55c5b270984fc3a562da9 SHA1 (patch-ai) = 04c2a487bad8705c9725ef4a62016051d3898970 SHA1 (patch-aj) = d110e996d0538d17251d39a5eed46df6944ba0fa SHA1 (patch-ak) = 50ac67db8a9ffc16d983b4192e74db25ef439321 @@ -27,5 +30,6 @@ SHA1 (patch-dt) = 452fee78b37f8ce0eb30049f9f18b04cff9b6e6e SHA1 (patch-du) = 89a77e82d881207500fb45c422b66710e44c0eb4 SHA1 (patch-el) = b85dbef28e14fe29c9fb944508a08e7423a37152 SHA1 (patch-es) = 7336d905bac315f344f93664e4118332f88fb6ee +SHA1 (patch-include_net-snmp_agent_snmp__agent.h) = 2139d849b0ffe004a72f3276a98c0d2cb72dca18 SHA1 (patch-include_net-snmp_system_netbsd.h) = 7880fded678147b2cc75e035234b89727e213d00 SHA1 (patch-perl_agent_Makefile.PL) = 722380debeda1552b74b60ff91cea3cbbc716e74 diff --git a/net/net-snmp/patches/patch-agent_mibgroup_agentx_master.c b/net/net-snmp/patches/patch-agent_mibgroup_agentx_master.c new file mode 100644 index 00000000000..f06457b6c9e --- /dev/null +++ b/net/net-snmp/patches/patch-agent_mibgroup_agentx_master.c @@ -0,0 +1,31 @@ +$NetBSD: patch-agent_mibgroup_agentx_master.c,v 1.1 2014/01/26 21:33:06 spz Exp $ + +patch for CVE-2012-6151 from +http://sourceforge.net/p/net-snmp/patches/_discuss/thread/36675011/e98b/attachment/alt-cancel-next-walk-v2.patch + +--- agent/mibgroup/agentx/master.c.orig 2012-10-09 22:28:58.000000000 +0000 ++++ agent/mibgroup/agentx/master.c +@@ -219,7 +219,13 @@ agentx_got_response(int operation, + if (!cache) { + DEBUGMSGTL(("agentx/master", "response too late on session %8p\n", + session)); +- return 0; ++ /* ++ * Response is too late, free the cache and return 1 ++ * so that the session pending request list item can be deleted ++ */ ++ if (magic) ++ netsnmp_free_delegated_cache((netsnmp_delegated_cache*) magic); ++ return 1; + } + requests = cache->requests; + +@@ -606,6 +612,8 @@ agentx_master_handler(netsnmp_mib_handle + result = snmp_async_send(ax_session, pdu, agentx_got_response, cb_data); + if (result == 0) { + snmp_free_pdu(pdu); ++ if (cb_data) ++ netsnmp_free_delegated_cache((netsnmp_delegated_cache*) cb_data); + } + + return SNMP_ERR_NOERROR; diff --git a/net/net-snmp/patches/patch-agent_mibgroup_agentx_master_admin.c b/net/net-snmp/patches/patch-agent_mibgroup_agentx_master_admin.c new file mode 100644 index 00000000000..f69c8672cd3 --- /dev/null +++ b/net/net-snmp/patches/patch-agent_mibgroup_agentx_master_admin.c @@ -0,0 +1,15 @@ +$NetBSD: patch-agent_mibgroup_agentx_master_admin.c,v 1.1 2014/01/26 21:33:06 spz Exp $ + +patch for CVE-2012-6151 from +http://sourceforge.net/p/net-snmp/patches/_discuss/thread/36675011/e98b/attachment/alt-cancel-next-walk-v2.patch + +--- agent/mibgroup/agentx/master_admin.c.orig 2012-10-09 22:28:58.000000000 +0000 ++++ agent/mibgroup/agentx/master_admin.c +@@ -153,6 +153,7 @@ close_agentx_session(netsnmp_session * s + for (sp = session->subsession; sp != NULL; sp = sp->next) { + + if (sp->sessid == sessid) { ++ netsnmp_remove_delegated_requests_for_session(sp); + unregister_mibs_by_session(sp); + unregister_index_by_session(sp); + unregister_sysORTable_by_session(sp); diff --git a/net/net-snmp/patches/patch-agent_snmp__agent.c b/net/net-snmp/patches/patch-agent_snmp__agent.c new file mode 100644 index 00000000000..fb51d3e6c4b --- /dev/null +++ b/net/net-snmp/patches/patch-agent_snmp__agent.c @@ -0,0 +1,151 @@ +$NetBSD: patch-agent_snmp__agent.c,v 1.1 2014/01/26 21:33:06 spz Exp $ + +patch for CVE-2012-6151 from +http://sourceforge.net/p/net-snmp/patches/_discuss/thread/36675011/e98b/attachment/alt-cancel-next-walk-v2.patch + +--- agent/snmp_agent.c.orig 2012-10-09 22:28:58.000000000 +0000 ++++ agent/snmp_agent.c +@@ -1409,6 +1409,7 @@ init_agent_snmp_session(netsnmp_session + asp->treecache_num = -1; + asp->treecache_len = 0; + asp->reqinfo = SNMP_MALLOC_TYPEDEF(netsnmp_agent_request_info); ++ asp->flags = SNMP_AGENT_FLAGS_NONE; + DEBUGMSGTL(("verbose:asp", "asp %p reqinfo %p created\n", + asp, asp->reqinfo)); + +@@ -1458,6 +1459,9 @@ netsnmp_check_for_delegated(netsnmp_agen + if (NULL == asp->treecache) + return 0; + ++ if (asp->flags & SNMP_AGENT_FLAGS_CANCEL_IN_PROGRESS) ++ return 0; ++ + for (i = 0; i <= asp->treecache_num; i++) { + for (request = asp->treecache[i].requests_begin; request; + request = request->next) { +@@ -1535,39 +1539,48 @@ int + netsnmp_remove_delegated_requests_for_session(netsnmp_session *sess) + { + netsnmp_agent_session *asp; +- int count = 0; ++ int total_count = 0; + + for (asp = agent_delegated_list; asp; asp = asp->next) { + /* + * check each request + */ ++ int i; ++ int count = 0; + netsnmp_request_info *request; +- for(request = asp->requests; request; request = request->next) { +- /* +- * check session +- */ +- netsnmp_assert(NULL!=request->subtree); +- if(request->subtree->session != sess) +- continue; +- +- /* +- * matched! mark request as done +- */ +- netsnmp_request_set_error(request, SNMP_ERR_GENERR); +- ++count; ++ for (i = 0; i <= asp->treecache_num; i++) { ++ for(request = asp->requests; request; ++ request = request->next) { ++ /* ++ * check session ++ */ ++ netsnmp_assert(NULL!=request->subtree); ++ if(request->subtree->session != sess) ++ continue; ++ ++ /* ++ * matched! mark request as done ++ */ ++ netsnmp_request_set_error(request, SNMP_ERR_GENERR); ++ ++count; ++ } ++ } ++ if (count) { ++ asp->flags |= SNMP_AGENT_FLAGS_CANCEL_IN_PROGRESS; ++ total_count += count; + } + } + + /* + * if we found any, that request may be finished now + */ +- if(count) { ++ if(total_count) { + DEBUGMSGTL(("snmp_agent", "removed %d delegated request(s) for session " +- "%8p\n", count, sess)); +- netsnmp_check_outstanding_agent_requests(); ++ "%8p\n", total_count, sess)); ++ netsnmp_check_delegated_requests(); + } + +- return count; ++ return total_count; + } + + int +@@ -2739,13 +2752,8 @@ handle_var_requests(netsnmp_agent_sessio + return final_status; + } + +-/* +- * loop through our sessions known delegated sessions and check to see +- * if they've completed yet. If there are no more delegated sessions, +- * check for and process any queued requests +- */ + void +-netsnmp_check_outstanding_agent_requests(void) ++netsnmp_check_delegated_requests(void) + { + netsnmp_agent_session *asp, *prev_asp = NULL, *next_asp = NULL; + +@@ -2790,6 +2798,22 @@ netsnmp_check_outstanding_agent_requests + prev_asp = asp; + } + } ++} ++ ++/* ++ * loop through our sessions known delegated sessions and check to see ++ * if they've completed yet. If there are no more delegated sessions, ++ * check for and process any queued requests ++ */ ++void ++netsnmp_check_outstanding_agent_requests(void) ++{ ++ netsnmp_agent_session *asp; ++ ++ /* ++ * deal with delegated requests ++ */ ++ netsnmp_check_delegated_requests(); + + /* + * if we are processing a set and there are more delegated +@@ -2819,7 +2843,8 @@ netsnmp_check_outstanding_agent_requests + + netsnmp_processing_set = netsnmp_agent_queued_list; + DEBUGMSGTL(("snmp_agent", "SET request remains queued while " +- "delegated requests finish, asp = %8p\n", asp)); ++ "delegated requests finish, asp = %8p\n", ++ agent_delegated_list)); + break; + } + #endif /* NETSNMP_NO_WRITE_SUPPORT */ +@@ -2880,6 +2905,10 @@ check_delayed_request(netsnmp_agent_sess + case SNMP_MSG_GETBULK: + case SNMP_MSG_GETNEXT: + netsnmp_check_all_requests_status(asp, 0); ++ if (asp->flags & SNMP_AGENT_FLAGS_CANCEL_IN_PROGRESS) { ++ DEBUGMSGTL(("snmp_agent","canceling next walk for asp %p\n", asp)); ++ break; ++ } + handle_getnext_loop(asp); + if (netsnmp_check_for_delegated(asp) && + netsnmp_check_transaction_id(asp->pdu->transid) != diff --git a/net/net-snmp/patches/patch-include_net-snmp_agent_snmp__agent.h b/net/net-snmp/patches/patch-include_net-snmp_agent_snmp__agent.h new file mode 100644 index 00000000000..7edda043093 --- /dev/null +++ b/net/net-snmp/patches/patch-include_net-snmp_agent_snmp__agent.h @@ -0,0 +1,33 @@ +$NetBSD: patch-include_net-snmp_agent_snmp__agent.h,v 1.1 2014/01/26 21:33:06 spz Exp $ + +patch for CVE-2012-6151 from +http://sourceforge.net/p/net-snmp/patches/_discuss/thread/36675011/e98b/attachment/alt-cancel-next-walk-v2.patch + +--- include/net-snmp/agent/snmp_agent.h.orig 2012-10-09 22:28:58.000000000 +0000 ++++ include/net-snmp/agent/snmp_agent.h +@@ -32,6 +32,9 @@ extern "C" { + #define SNMP_MAX_PDU_SIZE 64000 /* local constraint on PDU size sent by agent + * (see also SNMP_MAX_MSG_SIZE in snmp_api.h) */ + ++#define SNMP_AGENT_FLAGS_NONE 0x0 ++#define SNMP_AGENT_FLAGS_CANCEL_IN_PROGRESS 0x1 ++ + /* + * If non-zero, causes the addresses of peers to be logged when receptions + * occur. +@@ -205,6 +208,7 @@ extern "C" { + int treecache_num; /* number of current cache entries */ + netsnmp_cachemap *cache_store; + int vbcount; ++ int flags; + } netsnmp_agent_session; + + /* +@@ -240,6 +244,7 @@ extern "C" { + int init_master_agent(void); + void shutdown_master_agent(void); + int agent_check_and_process(int block); ++ void netsnmp_check_delegated_requests(void); + void netsnmp_check_outstanding_agent_requests(void); + + int netsnmp_request_set_error(netsnmp_request_info *request, -- cgit v1.2.3