aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authoryanjun.zhu <yanjun.zhu@windriver.com>2014-05-09 16:40:36 +0800
committerJoe MacDonald <joe@deserted.net>2014-05-09 10:18:40 -0400
commit7361149c47dc846552e574456c607d1bef508b08 (patch)
tree883bb95e58fae780fc7ec8045cc7a287ca7f294e
parentb9ad53cccef2d8e695d9459904bac277e0406b89 (diff)
downloadmeta-openembedded-7361149c47dc846552e574456c607d1bef508b08.tar.gz
meta-openembedded-7361149c47dc846552e574456c607d1bef508b08.tar.bz2
meta-openembedded-7361149c47dc846552e574456c607d1bef508b08.zip
net-snmp-5.7.2: fix CVE-2014-2284
The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before 5.5.2.1, 5.6.x before 5.6.2.1, and 5.7.x before 5.7.2.1 does not properly validate input, which allows remote attackers to cause a denial of service via unspecified vectors. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2284 Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
-rw-r--r--meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch126
-rw-r--r--meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb1
2 files changed, 127 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch b/meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch
new file mode 100644
index 000000000..4ad906432
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch
@@ -0,0 +1,126 @@
+diff -urpN a/agent/mibgroup/mibII/icmp.c b/agent/mibgroup/mibII/icmp.c
+--- a/agent/mibgroup/mibII/icmp.c
++++ b/agent/mibgroup/mibII/icmp.c
+@@ -106,10 +106,20 @@ struct icmp_msg_stats_table_entry {
+ int flags;
+ };
+
++#ifdef linux
++/* Linux keeps track of all possible message types */
++#define ICMP_MSG_STATS_IPV4_COUNT 256
++#else
+ #define ICMP_MSG_STATS_IPV4_COUNT 11
++#endif
+
+ #ifdef NETSNMP_ENABLE_IPV6
++#ifdef linux
++/* Linux keeps track of all possible message types */
++#define ICMP_MSG_STATS_IPV6_COUNT 256
++#else
+ #define ICMP_MSG_STATS_IPV6_COUNT 14
++#endif
+ #else
+ #define ICMP_MSG_STATS_IPV6_COUNT 0
+ #endif /* NETSNMP_ENABLE_IPV6 */
+@@ -177,7 +187,7 @@ icmp_msg_stats_load(netsnmp_cache *cache
+ inc = 0;
+ linux_read_icmp_msg_stat(&v4icmp, &v4icmpmsg, &flag);
+ if (flag) {
+- while (254 != k) {
++ while (255 >= k) {
+ if (v4icmpmsg.vals[k].InType) {
+ icmp_msg_stats_table[i].ipVer = 1;
+ icmp_msg_stats_table[i].icmpMsgStatsType = k;
+@@ -1050,6 +1060,12 @@ icmp_stats_table_handler(netsnmp_mib_han
+ continue;
+ table_info = netsnmp_extract_table_info(request);
+ subid = table_info->colnum;
++ DEBUGMSGTL(( "mibII/icmpStatsTable", "oid: " ));
++ DEBUGMSGOID(( "mibII/icmpStatsTable", request->requestvb->name,
++ request->requestvb->name_length ));
++ DEBUGMSG(( "mibII/icmpStatsTable", " In %d InErr %d Out %d OutErr %d\n",
++ entry->icmpStatsInMsgs, entry->icmpStatsInErrors,
++ entry->icmpStatsOutMsgs, entry->icmpStatsOutErrors ));
+
+ switch (subid) {
+ case ICMP_STAT_INMSG:
+@@ -1117,6 +1133,11 @@ icmp_msg_stats_table_handler(netsnmp_mib
+ continue;
+ table_info = netsnmp_extract_table_info(request);
+ subid = table_info->colnum;
++ DEBUGMSGTL(( "mibII/icmpMsgStatsTable", "oid: " ));
++ DEBUGMSGOID(( "mibII/icmpMsgStatsTable", request->requestvb->name,
++ request->requestvb->name_length ));
++ DEBUGMSG(( "mibII/icmpMsgStatsTable", " In %d Out %d Flags 0x%x\n",
++ entry->icmpMsgStatsInPkts, entry->icmpMsgStatsOutPkts, entry->flags ));
+
+ switch (subid) {
+ case ICMP_MSG_STAT_IN_PKTS:
+diff -urpN a/agent/mibgroup/mibII/kernel_linux.c b/agent/mibgroup/mibII/kernel_linux.c
+--- a/agent/mibgroup/mibII/kernel_linux.c
++++ b/agent/mibgroup/mibII/kernel_linux.c
+@@ -81,9 +81,9 @@ decode_icmp_msg(char *line, char *data,
+ index = strtol(token, &delim, 0);
+ if (ERANGE == errno) {
+ continue;
+- } else if (index > LONG_MAX) {
++ } else if (index > 255) {
+ continue;
+- } else if (index < LONG_MIN) {
++ } else if (index < 0) {
+ continue;
+ }
+ if (NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
+@@ -94,9 +94,9 @@ decode_icmp_msg(char *line, char *data,
+ index = strtol(token, &delim, 0);
+ if (ERANGE == errno) {
+ continue;
+- } else if (index > LONG_MAX) {
++ } else if (index > 255) {
+ continue;
+- } else if (index < LONG_MIN) {
++ } else if (index < 0) {
+ continue;
+ }
+ if(NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
+@@ -426,14 +426,21 @@ linux_read_icmp6_parse(struct icmp6_mib
+
+ vals = name;
+ if (NULL != icmp6msgstat) {
++ int type;
+ if (0 == strncmp(name, "Icmp6OutType", 12)) {
+ strsep(&vals, "e");
+- icmp6msgstat->vals[atoi(vals)].OutType = stats;
++ type = atoi(vals);
++ if ( type < 0 || type > 255 )
++ continue;
++ icmp6msgstat->vals[type].OutType = stats;
+ *support = 1;
+ continue;
+ } else if (0 == strncmp(name, "Icmp6InType", 11)) {
+ strsep(&vals, "e");
+- icmp6msgstat->vals[atoi(vals)].InType = stats;
++ type = atoi(vals);
++ if ( type < 0 || type > 255 )
++ continue;
++ icmp6msgstat->vals[type].OutType = stats;
+ *support = 1;
+ continue;
+ }
+diff -urpN a/agent/mibgroup/mibII/kernel_linux.h b/agent/mibgroup/mibII/kernel_linux.h
+--- a/agent/mibgroup/mibII/kernel_linux.h
++++ b/agent/mibgroup/mibII/kernel_linux.h
+@@ -121,11 +121,11 @@ struct icmp_msg_mib {
+
+ /* Lets use wrapper structures for future expansion */
+ struct icmp4_msg_mib {
+- struct icmp_msg_mib vals[255];
++ struct icmp_msg_mib vals[256];
+ };
+
+ struct icmp6_msg_mib {
+- struct icmp_msg_mib vals[255];
++ struct icmp_msg_mib vals[256];
+ };
+
+ struct udp_mib {
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb
index f6656ad7d..8f20ce9a3 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
file://snmpd.service \
file://snmptrapd.service \
file://ifmib.patch \
+ file://net-snmp-5.7.2-fix-CVE-2014-2284.patch \
"
SRC_URI[md5sum] = "5bddd02e2f82b62daa79f82717737a14"