You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

156 lines
6.3 KiB

953926 - snmptrapd crash "buffer overflow detected" at fortify_fail.c
commit 40938a62619590b4ea071ae85baa2f42a0b7fcb2
Author: Jan Safranek <jsafranek@users.sourceforge.net>
Date: Mon Apr 22 15:00:00 2013 +0200
Check if 'asn_parse_* ' actually succeeded.
If not, discard the packet instead of using wrong data.
diff --git a/snmplib/snmp_api.c b/snmplib/snmp_api.c
index e5c45d9..0842842 100644
--- a/snmplib/snmp_api.c
+++ b/snmplib/snmp_api.c
@@ -4709,9 +4709,11 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
case ASN_INTEGER:
vp->val.integer = (long *) vp->buf;
vp->val_len = sizeof(long);
- asn_parse_int(var_val, &len, &vp->type,
+ data = asn_parse_int(var_val, &len, &vp->type,
(long *) vp->val.integer,
sizeof(*vp->val.integer));
+ if (!data)
+ return -1;
break;
case ASN_COUNTER:
case ASN_GAUGE:
@@ -4719,9 +4721,11 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
case ASN_UINTEGER:
vp->val.integer = (long *) vp->buf;
vp->val_len = sizeof(u_long);
- asn_parse_unsigned_int(var_val, &len, &vp->type,
+ data = asn_parse_unsigned_int(var_val, &len, &vp->type,
(u_long *) vp->val.integer,
vp->val_len);
+ if (!data)
+ return -1;
break;
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
case ASN_OPAQUE_COUNTER64:
@@ -4730,34 +4734,45 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
case ASN_COUNTER64:
vp->val.counter64 = (struct counter64 *) vp->buf;
vp->val_len = sizeof(struct counter64);
- asn_parse_unsigned_int64(var_val, &len, &vp->type,
+ data = asn_parse_unsigned_int64(var_val, &len, &vp->type,
(struct counter64 *) vp->val.
counter64, vp->val_len);
+ if (!data)
+ return -1;
break;
#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
case ASN_OPAQUE_FLOAT:
vp->val.floatVal = (float *) vp->buf;
vp->val_len = sizeof(float);
- asn_parse_float(var_val, &len, &vp->type,
+ data = asn_parse_float(var_val, &len, &vp->type,
vp->val.floatVal, vp->val_len);
+ if (!data)
+ return -1;
break;
case ASN_OPAQUE_DOUBLE:
vp->val.doubleVal = (double *) vp->buf;
vp->val_len = sizeof(double);
- asn_parse_double(var_val, &len, &vp->type,
+ data = asn_parse_double(var_val, &len, &vp->type,
vp->val.doubleVal, vp->val_len);
+ if (!data)
+ return -1;
break;
case ASN_OPAQUE_I64:
vp->val.counter64 = (struct counter64 *) vp->buf;
vp->val_len = sizeof(struct counter64);
- asn_parse_signed_int64(var_val, &len, &vp->type,
+ data = asn_parse_signed_int64(var_val, &len, &vp->type,
(struct counter64 *) vp->val.counter64,
sizeof(*vp->val.counter64));
+ if (!data)
+ return -1;
break;
#endif /* NETSNMP_WITH_OPAQUE_SPECIAL_TYPES */
- case ASN_OCTET_STR:
case ASN_IPADDRESS:
+ if (vp->val_len != 4)
+ return -1;
+ /* fallthrough */
+ case ASN_OCTET_STR:
case ASN_OPAQUE:
case ASN_NSAP:
if (vp->val_len < sizeof(vp->buf)) {
@@ -4768,12 +4783,16 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
if (vp->val.string == NULL) {
return -1;
}
- asn_parse_string(var_val, &len, &vp->type, vp->val.string,
+ data = asn_parse_string(var_val, &len, &vp->type, vp->val.string,
&vp->val_len);
+ if (!data)
+ return -1;
break;
case ASN_OBJECT_ID:
vp->val_len = MAX_OID_LEN;
- asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len);
+ data = asn_parse_objid(var_val, &len, &vp->type, objid, &vp->val_len);
+ if (!data)
+ return -1;
vp->val_len *= sizeof(oid);
vp->val.objid = (oid *) malloc(vp->val_len);
if (vp->val.objid == NULL) {
@@ -4791,8 +4810,10 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length)
if (vp->val.bitstring == NULL) {
return -1;
}
- asn_parse_bitstring(var_val, &len, &vp->type,
+ data = asn_parse_bitstring(var_val, &len, &vp->type,
vp->val.bitstring, &vp->val_len);
+ if (!data)
+ return -1;
break;
default:
snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type);
commit aa4fb949012d7c022a436992ac203c065fd7420a
Author: Jan Safranek <jsafranek@users.sourceforge.net>
Date: Mon Apr 22 14:58:41 2013 +0200
Integer values encoded in BER must have at least one character.
If asn_length == 0, we would read the first byte of the next varbind on next line:
if (*bufp & 0x80)
-> reading past the buffer if there is no such variable -> sigsegv.
diff --git a/snmplib/asn1.c b/snmplib/asn1.c
index 1af7787..5de6b75 100644
--- a/snmplib/asn1.c
+++ b/snmplib/asn1.c
@@ -510,7 +510,7 @@ asn_parse_int(u_char * data,
(errpre, bufp, data, asn_length, *datalength))
return NULL;
- if ((size_t) asn_length > intsize) {
+ if ((size_t) asn_length > intsize || (int) asn_length == 0) {
_asn_length_err(errpre, (size_t) asn_length, intsize);
return NULL;
}
@@ -582,7 +582,7 @@ asn_parse_unsigned_int(u_char * data,
(errpre, bufp, data, asn_length, *datalength))
return NULL;
- if ((asn_length > (intsize + 1)) ||
+ if (((int) asn_length > (intsize + 1)) || ((int) asn_length == 0) ||
((asn_length == intsize + 1) && *bufp != 0x00)) {
_asn_length_err(errpre, (size_t) asn_length, intsize);
return NULL;