repair CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810

agent/mibgroup/agent/nsLogging.c

@@ -147,6 +147,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
                 continue;
             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
             table_info  =                netsnmp_extract_table_info(request);
+            if (!table_info || !table_info->indexes)
+                continue;
 
             switch (table_info->colnum) {
             case NSLOGGING_TYPE:
@@ -201,6 +203,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
             }
             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
             table_info  =                 netsnmp_extract_table_info(request);
+            if (!table_info || !table_info->indexes)
+                continue;
 
             switch (table_info->colnum) {
             case NSLOGGING_TYPE:
@@ -394,6 +398,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
                 continue;
             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
             table_info  =                 netsnmp_extract_table_info(request);
+            if (!table_info || !table_info->indexes)
+                continue;
 
             switch (table_info->colnum) {
             case NSLOGGING_TYPE:

agent/mibgroup/agent/nsVacmAccessTable.c

@@ -170,9 +170,13 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
             entry = (struct vacm_accessEntry *)
                 netsnmp_extract_iterator_context(request);
             table_info = netsnmp_extract_table_info(request);
+            if (!table_info || !table_info->indexes)
+                continue;
 
             /* Extract the authType token from the list of indexes */
             idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
+            if (idx->val_len >= sizeof(atype))
+                continue;
             memset(atype, 0, sizeof(atype));
             memcpy(atype, (char *)idx->val.string, idx->val_len);
             viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
@@ -212,6 +216,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
             entry = (struct vacm_accessEntry *)
                 netsnmp_extract_iterator_context(request);
             table_info = netsnmp_extract_table_info(request);
+            if (!table_info || !table_info->indexes)
+                continue;
             ret = SNMP_ERR_NOERROR;
 
             switch (table_info->colnum) {
@@ -247,6 +253,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
                  * Extract the authType token from the list of indexes
                  */
                 idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
+                if (idx->val_len >= sizeof(atype))
+                    continue;
                 memset(atype, 0, sizeof(atype));
                 memcpy(atype, (char *)idx->val.string, idx->val_len);
                 viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
@@ -294,8 +302,10 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
                          idx = idx->next_variable;  model = *idx->val.integer;
                          idx = idx->next_variable;  level = *idx->val.integer;
                          entry = vacm_createAccessEntry( gName, cPrefix, model, level );
-                         entry->storageType = ST_NONVOLATILE;
-                         netsnmp_insert_iterator_context(request, (void*)entry);
+                         if (entry) {
+                             entry->storageType = ST_NONVOLATILE;
+                             netsnmp_insert_iterator_context(request, (void*)entry);
+                         }
                     }
                 }
             }
@@ -321,6 +331,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
 
             /* Extract the authType token from the list of indexes */
             idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
+            if (idx->val_len >= sizeof(atype))
+                continue;
             memset(atype, 0, sizeof(atype));
             memcpy(atype, (char *)idx->val.string, idx->val_len);
             viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);

agent/mibgroup/mibII/vacm_vars.c

@@ -997,6 +997,9 @@ access_parse_oid(oid * oidIndex, size_t oidLen,
         return 1;
     }
     groupNameL = oidIndex[0];
+    if ((groupNameL + 1) > (int) oidLen) {
+        return 1;
+    }
     contextPrefixL = oidIndex[groupNameL + 1];  /* the initial name length */
     if ((int) oidLen != groupNameL + contextPrefixL + 4) {
         return 1;

agent/mibgroup/snmpv3/usmUser.c

@@ -1507,8 +1507,6 @@ write_usmUserStatus(int action,
                 if (usmStatusCheck(uptr)) {
                     uptr->userStatus = RS_ACTIVE;
                 } else {
-                    SNMP_FREE(engineID);
-                    SNMP_FREE(newName);
                     return SNMP_ERR_INCONSISTENTVALUE;
                 }
             } else if (long_ret == RS_CREATEANDWAIT) {

agent/snmp_agent.c

@@ -2954,7 +2954,7 @@ netsnmp_check_requests_status(netsnmp_agent_session *asp,
         if (requests->status != SNMP_ERR_NOERROR &&
             (!look_for_specific || requests->status == look_for_specific)
             && (look_for_specific || asp->index == 0
-                || requests->index < asp->index)) {
+                || requests->index <= asp->index)) {
             asp->index = requests->index;
             asp->status = requests->status;
         }

debian/changelog

@@ -1,3 +1,9 @@
+net-snmp (5.8+dfsg-ok6) yangtze; urgency=medium
+
+  * l491 repair CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810
+
+ -- lvbingbing <lvbingbing@bupt.edu.cn>  Fri, 03 Mar 2023 19:18:25 +0800
+
 net-snmp (5.8+dfsg-ok5) yangtze; urgency=medium
 
   * realpan_bupt CVE-2020-15862 安全更新：Net-SNMP 5.7.3及之前版本中存在安全漏洞.