diff options
Diffstat (limited to 'net-analyzer/net-snmp/files/net-snmp-5.4.1-CVE-2008-2292.patch')
-rw-r--r-- | net-analyzer/net-snmp/files/net-snmp-5.4.1-CVE-2008-2292.patch | 192 |
1 files changed, 192 insertions, 0 deletions
diff --git a/net-analyzer/net-snmp/files/net-snmp-5.4.1-CVE-2008-2292.patch b/net-analyzer/net-snmp/files/net-snmp-5.4.1-CVE-2008-2292.patch new file mode 100644 index 000000000000..125ccf22b6c7 --- /dev/null +++ b/net-analyzer/net-snmp/files/net-snmp-5.4.1-CVE-2008-2292.patch @@ -0,0 +1,192 @@ +r16770 | dts12 | 2007-12-22 22:22:44 +0300 (Сбт, 22 Дек 2007) | 2 lines + +CHANGES: perl: BUG: 1826174: Check for buffer overflow when printing values. + +CHANGES: python: BUG: 1826174: Check for buffer overflow when printing values. +Addresses CVE-2008-2292 + +--- perl/SNMP/SNMP.xs (revision 16769) ++++ perl/SNMP/SNMP.xs (revision 16770) +@@ -470,14 +470,16 @@ + if (flag == USE_ENUMS) { + for(ep = tp->enums; ep; ep = ep->next) { + if (ep->value == *var->val.integer) { +- strcpy(buf, ep->label); ++ strncpy(buf, ep->label, buf_len); ++ buf[buf_len-1] = '\0'; + len = strlen(buf); + break; + } + } + } + if (!len) { +- sprintf(buf,"%ld", *var->val.integer); ++ snprintf(buf, buf_len, "%ld", *var->val.integer); ++ buf[buf_len-1] = '\0'; + len = strlen(buf); + } + break; +@@ -486,21 +488,25 @@ + case ASN_COUNTER: + case ASN_TIMETICKS: + case ASN_UINTEGER: +- sprintf(buf,"%lu", (unsigned long) *var->val.integer); ++ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer); ++ buf[buf_len-1] = '\0'; + len = strlen(buf); + break; + + case ASN_OCTET_STR: + case ASN_OPAQUE: +- memcpy(buf, (char*)var->val.string, var->val_len); + len = var->val_len; ++ if ( len > buf_len ) ++ len = buf_len; ++ memcpy(buf, (char*)var->val.string, len); + break; + + case ASN_IPADDRESS: +- ip = (u_char*)var->val.string; +- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); +- len = strlen(buf); +- break; ++ ip = (u_char*)var->val.string; ++ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); ++ buf[buf_len-1] = '\0'; ++ len = strlen(buf); ++ break; + + case ASN_NULL: + break; +@@ -512,14 +518,14 @@ + break; + + case SNMP_ENDOFMIBVIEW: +- sprintf(buf,"%s", "ENDOFMIBVIEW"); +- break; ++ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW"); ++ break; + case SNMP_NOSUCHOBJECT: +- sprintf(buf,"%s", "NOSUCHOBJECT"); +- break; ++ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT"); ++ break; + case SNMP_NOSUCHINSTANCE: +- sprintf(buf,"%s", "NOSUCHINSTANCE"); +- break; ++ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE"); ++ break; + + case ASN_COUNTER64: + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES +@@ -538,19 +544,19 @@ + #endif + + case ASN_BIT_STR: +- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL); ++ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL); + len = strlen(buf); + break; + #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_FLOAT: +- if (var->val.floatVal) +- sprintf(buf,"%f", *var->val.floatVal); +- break; ++ if (var->val.floatVal) ++ snprintf(buf, buf_len, "%f", *var->val.floatVal); ++ break; + + case ASN_OPAQUE_DOUBLE: +- if (var->val.doubleVal) +- sprintf(buf,"%f", *var->val.doubleVal); +- break; ++ if (var->val.doubleVal) ++ snprintf(buf, buf_len, "%f", *var->val.doubleVal); ++ break; + #endif + + case ASN_NSAP: +--- python/netsnmp/client_intf.c (revision 16961) ++++ python/netsnmp/client_intf.c (revision 16962) +@@ -330,14 +330,15 @@ + if (flag == USE_ENUMS) { + for(ep = tp->enums; ep; ep = ep->next) { + if (ep->value == *var->val.integer) { +- strcpy(buf, ep->label); ++ strncpy(buf, ep->label, buf_len); ++ buf[buf_len -1] = 0; + len = STRLEN(buf); + break; + } + } + } + if (!len) { +- sprintf(buf,"%ld", *var->val.integer); ++ snprintf(buf,"%ld", buf_len, *var->val.integer); + len = STRLEN(buf); + } + break; +@@ -346,19 +347,21 @@ + case ASN_COUNTER: + case ASN_TIMETICKS: + case ASN_UINTEGER: +- sprintf(buf,"%lu", (unsigned long) *var->val.integer); ++ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer); + len = STRLEN(buf); + break; + + case ASN_OCTET_STR: + case ASN_OPAQUE: +- memcpy(buf, (char*)var->val.string, var->val_len); + len = var->val_len; ++ if (len > buf_len) ++ len = buf_len; ++ memcpy(buf, (char*)var->val.string, len); + break; + + case ASN_IPADDRESS: + ip = (u_char*)var->val.string; +- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); ++ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]); + len = STRLEN(buf); + break; + +@@ -372,13 +375,13 @@ + break; + + case SNMP_ENDOFMIBVIEW: +- sprintf(buf,"%s", "ENDOFMIBVIEW"); ++ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW"); + break; + case SNMP_NOSUCHOBJECT: +- sprintf(buf,"%s", "NOSUCHOBJECT"); ++ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT"); + break; + case SNMP_NOSUCHINSTANCE: +- sprintf(buf,"%s", "NOSUCHINSTANCE"); ++ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE"); + break; + + case ASN_COUNTER64: +@@ -398,18 +401,18 @@ + #endif + + case ASN_BIT_STR: +- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL); ++ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL); + len = STRLEN(buf); + break; + #ifdef OPAQUE_SPECIAL_TYPES + case ASN_OPAQUE_FLOAT: + if (var->val.floatVal) +- sprintf(buf,"%f", *var->val.floatVal); ++ snprintf(buf, buf_len, "%f", *var->val.floatVal); + break; + + case ASN_OPAQUE_DOUBLE: + if (var->val.doubleVal) +- sprintf(buf,"%f", *var->val.doubleVal); ++ snprintf(buf, buf_len, "%f", *var->val.doubleVal); + break; + #endif + |