rpms/net-snmp/F-8 net-snmp-5.4.1-getbulk-crash.patch, NONE, 1.1 net-snmp.spec, 1.137, 1.138

Jan Šafránek jsafrane at fedoraproject.org
Mon Nov 3 08:54:20 UTC 2008 

Author: jsafrane

Update of /cvs/pkgs/rpms/net-snmp/F-8
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16040

Modified Files:
	net-snmp.spec 
Added Files:
	net-snmp-5.4.1-getbulk-crash.patch 
Log Message:
fix CVE-2008-4309
Resolves: CVE-2008-4309

net-snmp-5.4.1-getbulk-crash.patch:

--- NEW FILE net-snmp-5.4.1-getbulk-crash.patch ---
CVE-2008-4309: net-snmp: numresponses calculation integer overflow in snmp_agent.c

Source: upstream, http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17272

Index: clean/agent/snmp_agent.c
===================================================================
--- clean.orig/agent/snmp_agent.c	2008-10-28 23:12:10.000000000 +0100
+++ clean/agent/snmp_agent.c	2008-10-28 23:15:11.000000000 +0100
@@ -2234,7 +2234,6 @@
             r = 0;
             asp->bulkcache = NULL;
         } else {
-            int numresponses;
             int           maxbulk =
                 netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
                                    NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
@@ -2245,28 +2244,31 @@
             if (maxresponses == 0)
                 maxresponses = 100;   /* more than reasonable default */
 
-            if (maxbulk == 0)
-                maxbulk = -1;
+            /* ensure that the total number of responses fits in a mallocable
+             * result vector
+             */
+            if (maxresponses < 0 ||
+                maxresponses > INT_MAX / sizeof(struct varbind_list *))
+                maxresponses = INT_MAX / sizeof(struct varbind_list *);
+
+            /* ensure that the maximum number of repetitions will fit in the
+             * result vector
+             */
+            if (maxbulk <= 0 || maxbulk > maxresponses / r)
+                maxbulk = maxresponses / r;
 
             /* limit getbulk number of repeats to a configured size */
-            if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
+            if (asp->pdu->errindex > maxbulk) {
                 asp->pdu->errindex = maxbulk;
-            }
-
-            numresponses = asp->pdu->errindex * r;
-
-            /* limit getbulk number of getbulk responses to a configured size */
-            if (maxresponses != -1 && numresponses > maxresponses) {
-                /* attempt to truncate this */
-                asp->pdu->errindex = maxresponses/r;
-                numresponses = asp->pdu->errindex * r;
-                DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
+                DEBUGMSGTL(("snmp_agent",
+                            "truncating number of getbulk repeats to %d\n",
+                            asp->pdu->errindex));
             }
 
             asp->bulkcache =
-                (netsnmp_variable_list **) malloc(numresponses *
-                                                  sizeof(struct
-                                                         varbind_list *));
+                (netsnmp_variable_list **) malloc(
+                    asp->pdu->errindex * r * sizeof(struct varbind_list *));
+
             if (!asp->bulkcache) {
                 DEBUGMSGTL(("snmp_agent", "Bulkcache malloc failed\n"));
                 return SNMP_ERR_GENERR;


Index: net-snmp.spec
===================================================================
RCS file: /cvs/pkgs/rpms/net-snmp/F-8/net-snmp.spec,v
retrieving revision 1.137
retrieving revision 1.138
diff -u -r1.137 -r1.138
--- net-snmp.spec	3 Nov 2008 08:32:56 -0000	1.137
+++ net-snmp.spec	3 Nov 2008 08:53:50 -0000	1.138
@@ -40,7 +40,7 @@
 Patch16: net-snmp-5.4.1-xen-crash.patch
 Patch17: net-snmp-5.4.1-hmac-check.patch
 Patch18: net-snmp-5.4.1-perl-snprintf.patch
-
+Patch19: net-snmp-5.4.1-getbulk-crash.patch
 
 Requires(pre): /sbin/chkconfig
 Requires(post): /sbin/chkconfig
@@ -157,6 +157,7 @@
 %patch16 -p0 -b .xen-crash
 %patch17 -p1 -b .hmac-check
 %patch18 -p3 -b .perl-snprintf
+%patch19 -p1 -b .getbulk-crash
 
 # Do this patch with a perl hack...
 perl -pi -e "s|'\\\$install_libdir'|'%{_libdir}'|" ltmain.sh
@@ -369,6 +370,7 @@
 * Mon Jun 23 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-8
 - explicitly require the right version and release of net-snmp and 
   net-snmp-libs (#451225)
+- fix CVE-2008-4309
 
 * Tue Jun 10 2008 Jan Safranek <jsafranek at redhat.com> 5.4.1-7
 - fix various flaws (CVE-2008-2292 CVE-2008-0960)

More information about the fedora-extras-commits mailing list