openkylin
/
net-snmp
mirror of https://gitee.com/openkylin/net-snmp.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

repair CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810

This commit is contained in:
Faye 2023-03-03 19:43:37 +08:00
parent d921ad5e73
commit eeb5f10e6c
6 changed files with 30 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
agent/mibgroup/agent/nsLogging.c
View File

@ -147,6 +147,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
continue; continue;
logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
table_info = netsnmp_extract_table_info(request); table_info = netsnmp_extract_table_info(request);
if (!table_info || !table_info->indexes)
continue;
switch (table_info->colnum) { switch (table_info->colnum) {
case NSLOGGING_TYPE: case NSLOGGING_TYPE:
@ -201,6 +203,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
} }
logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
table_info = netsnmp_extract_table_info(request); table_info = netsnmp_extract_table_info(request);
if (!table_info || !table_info->indexes)
continue;
switch (table_info->colnum) { switch (table_info->colnum) {
case NSLOGGING_TYPE: case NSLOGGING_TYPE:
@ -394,6 +398,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
continue; continue;
logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request); logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
table_info = netsnmp_extract_table_info(request); table_info = netsnmp_extract_table_info(request);
if (!table_info || !table_info->indexes)
continue;
switch (table_info->colnum) { switch (table_info->colnum) {
case NSLOGGING_TYPE: case NSLOGGING_TYPE:

16
agent/mibgroup/agent/nsVacmAccessTable.c
View File

@ -170,9 +170,13 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
entry = (struct vacm_accessEntry *) entry = (struct vacm_accessEntry *)
netsnmp_extract_iterator_context(request); netsnmp_extract_iterator_context(request);
table_info = netsnmp_extract_table_info(request); table_info = netsnmp_extract_table_info(request);
if (!table_info || !table_info->indexes)
continue;
/* Extract the authType token from the list of indexes */ /* Extract the authType token from the list of indexes */
idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
if (idx->val_len >= sizeof(atype))
continue;
memset(atype, 0, sizeof(atype)); memset(atype, 0, sizeof(atype));
memcpy(atype, (char *)idx->val.string, idx->val_len); memcpy(atype, (char *)idx->val.string, idx->val_len);
viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
@ -212,6 +216,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
entry = (struct vacm_accessEntry *) entry = (struct vacm_accessEntry *)
netsnmp_extract_iterator_context(request); netsnmp_extract_iterator_context(request);
table_info = netsnmp_extract_table_info(request); table_info = netsnmp_extract_table_info(request);
if (!table_info || !table_info->indexes)
continue;
ret = SNMP_ERR_NOERROR; ret = SNMP_ERR_NOERROR;
switch (table_info->colnum) { switch (table_info->colnum) {
@ -247,6 +253,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
* Extract the authType token from the list of indexes * Extract the authType token from the list of indexes
*/ */
idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
if (idx->val_len >= sizeof(atype))
continue;
memset(atype, 0, sizeof(atype)); memset(atype, 0, sizeof(atype));
memcpy(atype, (char *)idx->val.string, idx->val_len); memcpy(atype, (char *)idx->val.string, idx->val_len);
viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
@ -294,8 +302,10 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
idx = idx->next_variable; model = *idx->val.integer; idx = idx->next_variable; model = *idx->val.integer;
idx = idx->next_variable; level = *idx->val.integer; idx = idx->next_variable; level = *idx->val.integer;
entry = vacm_createAccessEntry( gName, cPrefix, model, level ); entry = vacm_createAccessEntry( gName, cPrefix, model, level );
entry->storageType = ST_NONVOLATILE; if (entry) {
netsnmp_insert_iterator_context(request, (void*)entry); entry->storageType = ST_NONVOLATILE;
netsnmp_insert_iterator_context(request, (void*)entry);
}
} }
} }
} }
@ -321,6 +331,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
/* Extract the authType token from the list of indexes */ /* Extract the authType token from the list of indexes */
idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable; idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
if (idx->val_len >= sizeof(atype))
continue;
memset(atype, 0, sizeof(atype)); memset(atype, 0, sizeof(atype));
memcpy(atype, (char *)idx->val.string, idx->val_len); memcpy(atype, (char *)idx->val.string, idx->val_len);
viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype); viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);

3
agent/mibgroup/mibII/vacm_vars.c
View File

@ -997,6 +997,9 @@ access_parse_oid(oid * oidIndex, size_t oidLen,
return 1; return 1;
} }
groupNameL = oidIndex[0]; groupNameL = oidIndex[0];
if ((groupNameL + 1) > (int) oidLen) {
return 1;
}
contextPrefixL = oidIndex[groupNameL + 1]; /* the initial name length */ contextPrefixL = oidIndex[groupNameL + 1]; /* the initial name length */
if ((int) oidLen != groupNameL + contextPrefixL + 4) { if ((int) oidLen != groupNameL + contextPrefixL + 4) {
return 1; return 1;

2
agent/mibgroup/snmpv3/usmUser.c
View File

@ -1507,8 +1507,6 @@ write_usmUserStatus(int action,
if (usmStatusCheck(uptr)) { if (usmStatusCheck(uptr)) {
uptr->userStatus = RS_ACTIVE; uptr->userStatus = RS_ACTIVE;
} else { } else {
SNMP_FREE(engineID);
SNMP_FREE(newName);
return SNMP_ERR_INCONSISTENTVALUE; return SNMP_ERR_INCONSISTENTVALUE;
} }
} else if (long_ret == RS_CREATEANDWAIT) { } else if (long_ret == RS_CREATEANDWAIT) {

2
agent/snmp_agent.c
View File

@ -2954,7 +2954,7 @@ netsnmp_check_requests_status(netsnmp_agent_session *asp,
if (requests->status != SNMP_ERR_NOERROR && if (requests->status != SNMP_ERR_NOERROR &&
(!look_for_specific || requests->status == look_for_specific) (!look_for_specific || requests->status == look_for_specific)
&& (look_for_specific || asp->index == 0 && (look_for_specific || asp->index == 0
|| requests->index < asp->index)) { || requests->index <= asp->index)) {
asp->index = requests->index; asp->index = requests->index;
asp->status = requests->status; asp->status = requests->status;
} }

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
net-snmp (5.8+dfsg-ok6) yangtze; urgency=medium
* l491 repair CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810
-- lvbingbing <lvbingbing@bupt.edu.cn> Fri, 03 Mar 2023 19:18:25 +0800
net-snmp (5.8+dfsg-ok5) yangtze; urgency=medium net-snmp (5.8+dfsg-ok5) yangtze; urgency=medium
* realpan_bupt CVE-2020-15862 安全更新Net-SNMP 5.7.3及之前版本中存在安全漏洞. * realpan_bupt CVE-2020-15862 安全更新Net-SNMP 5.7.3及之前版本中存在安全漏洞.