Skip to content

Commit 67ebb43

Browse files
committed
CHANGES: snmpd: fix bounds checking in NET-SNMP-AGENT-MIB, NET-SNMP-VACM-MIB, SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE Fixes by: Arista Networks
1 parent 557fdff commit 67ebb43

File tree

4 files changed

+23
-4
lines changed

4 files changed

+23
-4
lines changed

Diff for: agent/mibgroup/agent/nsLogging.c

+6
Original file line numberDiff line numberDiff line change
@@ -147,6 +147,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
147147
continue;
148148
logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
149149
table_info = netsnmp_extract_table_info(request);
150+
if (!table_info || !table_info->indexes)
151+
continue;
150152

151153
switch (table_info->colnum) {
152154
case NSLOGGING_TYPE:
@@ -201,6 +203,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
201203
}
202204
logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
203205
table_info = netsnmp_extract_table_info(request);
206+
if (!table_info || !table_info->indexes)
207+
continue;
204208

205209
switch (table_info->colnum) {
206210
case NSLOGGING_TYPE:
@@ -394,6 +398,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
394398
continue;
395399
logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
396400
table_info = netsnmp_extract_table_info(request);
401+
if (!table_info || !table_info->indexes)
402+
continue;
397403

398404
switch (table_info->colnum) {
399405
case NSLOGGING_TYPE:

Diff for: agent/mibgroup/agent/nsVacmAccessTable.c

+14-2
Original file line numberDiff line numberDiff line change
@@ -170,9 +170,13 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
170170
entry = (struct vacm_accessEntry *)
171171
netsnmp_extract_iterator_context(request);
172172
table_info = netsnmp_extract_table_info(request);
173+
if (!table_info || !table_info->indexes)
174+
continue;
173175

174176
/* Extract the authType token from the list of indexes */
175177
idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
178+
if (idx->val_len >= sizeof(atype))
179+
continue;
176180
memset(atype, 0, sizeof(atype));
177181
memcpy(atype, (char *)idx->val.string, idx->val_len);
178182
viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
@@ -212,6 +216,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
212216
entry = (struct vacm_accessEntry *)
213217
netsnmp_extract_iterator_context(request);
214218
table_info = netsnmp_extract_table_info(request);
219+
if (!table_info || !table_info->indexes)
220+
continue;
215221
ret = SNMP_ERR_NOERROR;
216222

217223
switch (table_info->colnum) {
@@ -247,6 +253,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
247253
* Extract the authType token from the list of indexes
248254
*/
249255
idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
256+
if (idx->val_len >= sizeof(atype))
257+
continue;
250258
memset(atype, 0, sizeof(atype));
251259
memcpy(atype, (char *)idx->val.string, idx->val_len);
252260
viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
@@ -294,8 +302,10 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
294302
idx = idx->next_variable; model = *idx->val.integer;
295303
idx = idx->next_variable; level = *idx->val.integer;
296304
entry = vacm_createAccessEntry( gName, cPrefix, model, level );
297-
entry->storageType = ST_NONVOLATILE;
298-
netsnmp_insert_iterator_context(request, (void*)entry);
305+
if (entry) {
306+
entry->storageType = ST_NONVOLATILE;
307+
netsnmp_insert_iterator_context(request, (void*)entry);
308+
}
299309
}
300310
}
301311
}
@@ -321,6 +331,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
321331

322332
/* Extract the authType token from the list of indexes */
323333
idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
334+
if (idx->val_len >= sizeof(atype))
335+
continue;
324336
memset(atype, 0, sizeof(atype));
325337
memcpy(atype, (char *)idx->val.string, idx->val_len);
326338
viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);

Diff for: agent/mibgroup/mibII/vacm_vars.c

+3
Original file line numberDiff line numberDiff line change
@@ -997,6 +997,9 @@ access_parse_oid(oid * oidIndex, size_t oidLen,
997997
return 1;
998998
}
999999
groupNameL = oidIndex[0];
1000+
if ((groupNameL + 1) > (int) oidLen) {
1001+
return 1;
1002+
}
10001003
contextPrefixL = oidIndex[groupNameL + 1]; /* the initial name length */
10011004
if ((int) oidLen != groupNameL + contextPrefixL + 4) {
10021005
return 1;

Diff for: agent/mibgroup/snmpv3/usmUser.c

-2
Original file line numberDiff line numberDiff line change
@@ -1505,8 +1505,6 @@ write_usmUserStatus(int action,
15051505
if (usmStatusCheck(uptr)) {
15061506
uptr->userStatus = RS_ACTIVE;
15071507
} else {
1508-
SNMP_FREE(engineID);
1509-
SNMP_FREE(newName);
15101508
return SNMP_ERR_INCONSISTENTVALUE;
15111509
}
15121510
} else if (long_ret == RS_CREATEANDWAIT) {

0 commit comments

Comments
 (0)