net-snmp-5.7.2: fix CVE-2014-2284

The Linux implementation of the ICMP-MIB in Net-SNMP 5.5 before
5.5.2.1, 5.6.x before 5.6.2.1, and 5.7.x before 5.7.2.1 does
not properly validate input, which allows remote attackers
to cause a denial of service via unspecified vectors.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2284
Signed-off-by: yanjun.zhu <yanjun.zhu@windriver.com>
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>

meta-networking/recipes-protocols/net-snmp/files/net-snmp-5.7.2-fix-CVE-2014-2284.patch

@@ -0,0 +1,126 @@
+diff -urpN a/agent/mibgroup/mibII/icmp.c b/agent/mibgroup/mibII/icmp.c
+--- a/agent/mibgroup/mibII/icmp.c
++++ b/agent/mibgroup/mibII/icmp.c
+@@ -106,10 +106,20 @@ struct icmp_msg_stats_table_entry {
+         int flags;
+ };
+ 
++#ifdef linux
++/* Linux keeps track of all possible message types */
++#define ICMP_MSG_STATS_IPV4_COUNT 256
++#else
+ #define ICMP_MSG_STATS_IPV4_COUNT 11
++#endif
+ 
+ #ifdef NETSNMP_ENABLE_IPV6
++#ifdef linux
++/* Linux keeps track of all possible message types */
++#define ICMP_MSG_STATS_IPV6_COUNT 256
++#else
+ #define ICMP_MSG_STATS_IPV6_COUNT 14
++#endif
+ #else
+ #define ICMP_MSG_STATS_IPV6_COUNT 0
+ #endif /* NETSNMP_ENABLE_IPV6 */
+@@ -177,7 +187,7 @@ icmp_msg_stats_load(netsnmp_cache *cache
+     inc = 0;
+     linux_read_icmp_msg_stat(&v4icmp, &v4icmpmsg, &flag);
+     if (flag) {
+-        while (254 != k) {
++        while (255 >= k) {
+             if (v4icmpmsg.vals[k].InType) {
+                 icmp_msg_stats_table[i].ipVer = 1;
+                 icmp_msg_stats_table[i].icmpMsgStatsType = k;
+@@ -1050,6 +1060,12 @@ icmp_stats_table_handler(netsnmp_mib_han
+ 					continue;
+ 				table_info = netsnmp_extract_table_info(request);
+ 				subid      = table_info->colnum;
++				DEBUGMSGTL(( "mibII/icmpStatsTable", "oid: " ));
++				DEBUGMSGOID(( "mibII/icmpStatsTable", request->requestvb->name,
++						 request->requestvb->name_length ));
++				DEBUGMSG(( "mibII/icmpStatsTable", " In %d InErr %d Out %d OutErr %d\n",
++					      entry->icmpStatsInMsgs, entry->icmpStatsInErrors,
++					      entry->icmpStatsOutMsgs, entry->icmpStatsOutErrors ));
+ 
+ 				switch (subid) {
+ 					case ICMP_STAT_INMSG:
+@@ -1117,6 +1133,11 @@ icmp_msg_stats_table_handler(netsnmp_mib
+                     continue;
+                 table_info = netsnmp_extract_table_info(request);
+                 subid = table_info->colnum;
++		DEBUGMSGTL(( "mibII/icmpMsgStatsTable", "oid: " ));
++		DEBUGMSGOID(( "mibII/icmpMsgStatsTable", request->requestvb->name,
++				request->requestvb->name_length ));
++		DEBUGMSG(( "mibII/icmpMsgStatsTable", " In %d Out %d Flags 0x%x\n",
++				entry->icmpMsgStatsInPkts, entry->icmpMsgStatsOutPkts, entry->flags ));
+ 
+                 switch (subid) {
+                     case ICMP_MSG_STAT_IN_PKTS:
+diff -urpN a/agent/mibgroup/mibII/kernel_linux.c b/agent/mibgroup/mibII/kernel_linux.c
+--- a/agent/mibgroup/mibII/kernel_linux.c
++++ b/agent/mibgroup/mibII/kernel_linux.c
+@@ -81,9 +81,9 @@ decode_icmp_msg(char *line, char *data, 
+             index = strtol(token, &delim, 0);
+             if (ERANGE == errno) {
+                 continue;
+-            } else if (index > LONG_MAX) {
++            } else if (index > 255) {
+                 continue;
+-            } else if (index < LONG_MIN) {
++            } else if (index < 0) {
+                 continue;
+             }
+             if (NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
+@@ -94,9 +94,9 @@ decode_icmp_msg(char *line, char *data, 
+             index = strtol(token, &delim, 0);
+             if (ERANGE == errno) {
+                 continue;
+-            } else if (index > LONG_MAX) {
++            } else if (index > 255) {
+                 continue;
+-            } else if (index < LONG_MIN) {
++            } else if (index < 0) {
+                 continue;
+             }
+             if(NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
+@@ -426,14 +426,21 @@ linux_read_icmp6_parse(struct icmp6_mib 
+ 
+         vals = name;
+         if (NULL != icmp6msgstat) {
++            int type;
+             if (0 == strncmp(name, "Icmp6OutType", 12)) {
+                 strsep(&vals, "e");
+-                icmp6msgstat->vals[atoi(vals)].OutType = stats;
++                type = atoi(vals);
++                if ( type < 0 || type > 255 )
++                    continue;
++                icmp6msgstat->vals[type].OutType = stats;
+                 *support = 1;
+                 continue;
+             } else if (0 == strncmp(name, "Icmp6InType", 11)) {
+                 strsep(&vals, "e");
+-                icmp6msgstat->vals[atoi(vals)].InType = stats;
++                type = atoi(vals);
++                if ( type < 0 || type > 255 )
++                    continue;
++                icmp6msgstat->vals[type].OutType = stats;
+                 *support = 1;
+                 continue;
+             }
+diff -urpN a/agent/mibgroup/mibII/kernel_linux.h b/agent/mibgroup/mibII/kernel_linux.h
+--- a/agent/mibgroup/mibII/kernel_linux.h
++++ b/agent/mibgroup/mibII/kernel_linux.h
+@@ -121,11 +121,11 @@ struct icmp_msg_mib {
+ 
+ /* Lets use wrapper structures for future expansion */
+ struct icmp4_msg_mib {
+-    struct icmp_msg_mib vals[255];
++    struct icmp_msg_mib vals[256];
+ };
+ 
+ struct icmp6_msg_mib {
+-    struct icmp_msg_mib vals[255];
++    struct icmp_msg_mib vals[256];
+ };
+ 
+ struct udp_mib {

meta-networking/recipes-protocols/net-snmp/net-snmp_5.7.2.bb

@@ -16,6 +16,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
         file://snmpd.service \
         file://snmptrapd.service \
         file://ifmib.patch \
+        file://net-snmp-5.7.2-fix-CVE-2014-2284.patch \
 "
 
 SRC_URI[md5sum] = "5bddd02e2f82b62daa79f82717737a14"