73 lines
2.1 KiB
Diff
73 lines
2.1 KiB
Diff
From b07627fa67c686b07d1eab123cf3e4887a2a93aa Mon Sep 17 00:00:00 2001
|
|
From: Bill Fenner <fenner@gmail.com>
|
|
Date: Fri, 25 Nov 2022 08:41:24 -0800
|
|
Subject: [PATCH] snmp_agent: disallow SET with NULL varbind
|
|
|
|
Upstream: https://github.com/net-snmp/net-snmp/commit/4589352dac3ae111c7621298cf231742209efd9b
|
|
|
|
[Thomas: this commit was merged as part of
|
|
https://github.com/net-snmp/net-snmp/pull/490/commits, which fixes
|
|
https://github.com/net-snmp/net-snmp/issues/474 (CVE-2022-44792) and
|
|
https://github.com/net-snmp/net-snmp/issues/475 (CVE-2022-44793). The
|
|
other two commits merged as part of this pull request are related to
|
|
adding a non-regression test for this, which is not relevant for the
|
|
security fix itself.]
|
|
|
|
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
|
---
|
|
agent/snmp_agent.c | 32 ++++++++++++++++++++++++++++++++
|
|
1 file changed, 32 insertions(+)
|
|
|
|
diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
|
|
index 867d0c166f..3f678fe2df 100644
|
|
--- a/agent/snmp_agent.c
|
|
+++ b/agent/snmp_agent.c
|
|
@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
|
|
return 1;
|
|
}
|
|
|
|
+static int
|
|
+check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
|
|
+{
|
|
+ int i;
|
|
+ netsnmp_variable_list *v = NULL;
|
|
+
|
|
+ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
|
|
+ if (v->type == ASN_NULL) {
|
|
+ /*
|
|
+ * Protect SET implementations that do not protect themselves
|
|
+ * against wrong type.
|
|
+ */
|
|
+ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
|
|
+ asp->index = i;
|
|
+ return SNMP_ERR_WRONGTYPE;
|
|
+ }
|
|
+ }
|
|
+ return SNMP_ERR_NOERROR;
|
|
+}
|
|
+
|
|
int
|
|
handle_pdu(netsnmp_agent_session *asp)
|
|
{
|
|
int status, inclusives = 0;
|
|
netsnmp_variable_list *v = NULL;
|
|
|
|
+#ifndef NETSNMP_NO_WRITE_SUPPORT
|
|
+ /*
|
|
+ * Check for ASN_NULL in SET request
|
|
+ */
|
|
+ if (asp->pdu->command == SNMP_MSG_SET) {
|
|
+ status = check_set_pdu_for_null_varbind(asp);
|
|
+ if (status != SNMP_ERR_NOERROR) {
|
|
+ return status;
|
|
+ }
|
|
+ }
|
|
+#endif /* NETSNMP_NO_WRITE_SUPPORT */
|
|
+
|
|
/*
|
|
* for illegal requests, mark all nodes as ASN_NULL
|
|
*/
|
|
--
|
|
2.41.0
|
|
|