mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-01-12 03:24:08 +00:00
net-snmp: CVE-2022-44792 & CVE-2022-44793 Fix NULL Pointer Exception
References: https://nvd.nist.gov/vuln/detail/CVE-2022-44792 https://nvd.nist.gov/vuln/detail/CVE-2022-44793 Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Narpat Mali
Khem Raj
@@ -0,0 +1,121 @@
|
||||
From d13302656d9ff0807c5defe18623adc947f43a2b Mon Sep 17 00:00:00 2001
|
||||
From: Narpat Mali <narpat.mali@windriver.com>
|
||||
Date: Wed, 8 Feb 2023 13:15:39 +0000
|
||||
Subject: [PATCH] agent: Disallow SET requests with any NULL varbind Merge pull
|
||||
request #490 from fenner/set-null
|
||||
|
||||
fixes: #474 and #475
|
||||
|
||||
CVE: CVE-2022-44792, CVE-2022-44793
|
||||
|
||||
Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57]
|
||||
|
||||
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
|
||||
---
|
||||
agent/snmp_agent.c | 32 +++++++++++++++++++
|
||||
apps/snmpset.c | 1 +
|
||||
.../default/T0142snmpv2csetnull_simple | 31 ++++++++++++++++++
|
||||
3 files changed, 64 insertions(+)
|
||||
create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple
|
||||
|
||||
diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
|
||||
index 867d0c1..3f678fe 100644
|
||||
--- a/agent/snmp_agent.c
|
||||
+++ b/agent/snmp_agent.c
|
||||
@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
|
||||
return 1;
|
||||
}
|
||||
|
||||
+static int
|
||||
+check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
|
||||
+{
|
||||
+ int i;
|
||||
+ netsnmp_variable_list *v = NULL;
|
||||
+
|
||||
+ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
|
||||
+ if (v->type == ASN_NULL) {
|
||||
+ /*
|
||||
+ * Protect SET implementations that do not protect themselves
|
||||
+ * against wrong type.
|
||||
+ */
|
||||
+ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
|
||||
+ asp->index = i;
|
||||
+ return SNMP_ERR_WRONGTYPE;
|
||||
+ }
|
||||
+ }
|
||||
+ return SNMP_ERR_NOERROR;
|
||||
+}
|
||||
+
|
||||
int
|
||||
handle_pdu(netsnmp_agent_session *asp)
|
||||
{
|
||||
int status, inclusives = 0;
|
||||
netsnmp_variable_list *v = NULL;
|
||||
|
||||
+#ifndef NETSNMP_NO_WRITE_SUPPORT
|
||||
+ /*
|
||||
+ * Check for ASN_NULL in SET request
|
||||
+ */
|
||||
+ if (asp->pdu->command == SNMP_MSG_SET) {
|
||||
+ status = check_set_pdu_for_null_varbind(asp);
|
||||
+ if (status != SNMP_ERR_NOERROR) {
|
||||
+ return status;
|
||||
+ }
|
||||
+ }
|
||||
+#endif /* NETSNMP_NO_WRITE_SUPPORT */
|
||||
+
|
||||
/*
|
||||
* for illegal requests, mark all nodes as ASN_NULL
|
||||
*/
|
||||
diff --git a/apps/snmpset.c b/apps/snmpset.c
|
||||
index 48e14bd..d542713 100644
|
||||
--- a/apps/snmpset.c
|
||||
+++ b/apps/snmpset.c
|
||||
@@ -182,6 +182,7 @@ main(int argc, char *argv[])
|
||||
case 'x':
|
||||
case 'd':
|
||||
case 'b':
|
||||
+ case 'n': /* undocumented */
|
||||
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
|
||||
case 'I':
|
||||
case 'U':
|
||||
diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple
|
||||
new file mode 100644
|
||||
index 0000000..0f1b8f3
|
||||
--- /dev/null
|
||||
+++ b/testing/fulltests/default/T0142snmpv2csetnull_simple
|
||||
@@ -0,0 +1,31 @@
|
||||
+#!/bin/sh
|
||||
+
|
||||
+. ../support/simple_eval_tools.sh
|
||||
+
|
||||
+HEADER SNMPv2c set of system.sysContact.0 with NULL varbind
|
||||
+
|
||||
+SKIPIF NETSNMP_DISABLE_SET_SUPPORT
|
||||
+SKIPIF NETSNMP_NO_WRITE_SUPPORT
|
||||
+SKIPIF NETSNMP_DISABLE_SNMPV2C
|
||||
+SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE
|
||||
+
|
||||
+#
|
||||
+# Begin test
|
||||
+#
|
||||
+
|
||||
+# standard V2C configuration: testcomunnity
|
||||
+snmp_write_access='all'
|
||||
+. ./Sv2cconfig
|
||||
+STARTAGENT
|
||||
+
|
||||
+CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0"
|
||||
+
|
||||
+CHECK ".1.3.6.1.2.1.1.4.0 = STRING:"
|
||||
+
|
||||
+CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x"
|
||||
+
|
||||
+CHECK "Reason: wrongType"
|
||||
+
|
||||
+STOPAGENT
|
||||
+
|
||||
+FINISHED
|
||||
--
|
||||
2.34.1
|
||||
|
||||
@@ -27,6 +27,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
|
||||
file://reproducibility-have-printcap.patch \
|
||||
file://0001-ac_add_search_path.m4-keep-consistent-between-32bit.patch \
|
||||
file://0001-Add-noreturn-attribute-to-netsnmp_pci_error.patch \
|
||||
file://CVE-2022-44792-CVE-2022-44793.patch \
|
||||
"
|
||||
SRC_URI[sha256sum] = "2097f29b7e1bf3f1300b4bae52fa2308d0bb8d5d3998dbe02f9462a413a2ef0a"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user