main/net-snmp: security fixes for CVE-2014-2285 and CVE-2014-2284

3 files changed, 190 insertions, 4 deletions

diff --git a/main/net-snmp/0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch b/main/net-snmp/0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch
new file mode 100644
index 0000000000..60bb98a053
--- /dev/null
+++ b/main/net-snmp/0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch
@@ -0,0 +1,152 @@
+From a1fd64716f6794c55c34d77e618210238a73bfa1 Mon Sep 17 00:00:00 2001
+From: Wes Hardaker <hardaker@users.sourceforge.net>
+Date: Wed, 19 Feb 2014 15:21:57 -0800
+Subject: [PATCH] bug fix from fenner: fix ICMP mib table handling on linux
+
+---
+ agent/mibgroup/mibII/icmp.c         | 25 +++++++++++++++++++++++--
+ agent/mibgroup/mibII/kernel_linux.c | 19 +++++++++++++------
+ agent/mibgroup/mibII/kernel_linux.h |  4 ++--
+ 3 files changed, 38 insertions(+), 10 deletions(-)
+
+diff --git a/agent/mibgroup/mibII/icmp.c b/agent/mibgroup/mibII/icmp.c
+index af63395..e43380a 100644
+--- a/agent/mibgroup/mibII/icmp.c
++++ b/agent/mibgroup/mibII/icmp.c
+@@ -103,10 +103,20 @@ struct icmp_msg_stats_table_entry {
+         int flags;
+ };
+ 
++#ifdef linux
++/* Linux keeps track of all possible message types */
++#define ICMP_MSG_STATS_IPV4_COUNT 256
++#else
+ #define ICMP_MSG_STATS_IPV4_COUNT 11
++#endif
+ 
+ #ifdef NETSNMP_ENABLE_IPV6
++#ifdef linux
++/* Linux keeps track of all possible message types */
++#define ICMP_MSG_STATS_IPV6_COUNT 256
++#else
+ #define ICMP_MSG_STATS_IPV6_COUNT 14
++#endif
+ #else
+ #define ICMP_MSG_STATS_IPV6_COUNT 0
+ #endif /* NETSNMP_ENABLE_IPV6 */
+@@ -172,7 +182,7 @@ icmp_msg_stats_load(netsnmp_cache *cache, void *vmagic)
+     inc = 0;
+     linux_read_icmp_msg_stat(&v4icmp, &v4icmpmsg, &flag);
+     if (flag) {
+-        while (254 != k) {
++        while (255 >= k) {
+             if (v4icmpmsg.vals[k].InType) {
+                 icmp_msg_stats_table[i].ipVer = 1;
+                 icmp_msg_stats_table[i].icmpMsgStatsType = k;
+@@ -262,7 +272,7 @@ icmp_msg_stats_load(netsnmp_cache *cache, void *vmagic)
+     inc = 0;
+     linux_read_icmp6_msg_stat(&v6icmp, &v6icmpmsg, &flag);
+     if (flag) {
+-        while (254 != k) {
++        while (255 >= k) {
+             if (v6icmpmsg.vals[k].InType) {
+                 icmp_msg_stats_table[i].ipVer = 2;
+                 icmp_msg_stats_table[i].icmpMsgStatsType = k;
+@@ -1059,6 +1069,12 @@ icmp_stats_table_handler(netsnmp_mib_handler  *handler,
+ 					continue;
+ 				table_info = netsnmp_extract_table_info(request);
+ 				subid      = table_info->colnum;
++				DEBUGMSGTL(( "mibII/icmpStatsTable", "oid: " ));
++				DEBUGMSGOID(( "mibII/icmpStatsTable", request->requestvb->name,
++						 request->requestvb->name_length ));
++				DEBUGMSG(( "mibII/icmpStatsTable", " In %d InErr %d Out %d OutErr %d\n",
++					      entry->icmpStatsInMsgs, entry->icmpStatsInErrors,
++					      entry->icmpStatsOutMsgs, entry->icmpStatsOutErrors ));
+ 
+ 				switch (subid) {
+ 					case ICMP_STAT_INMSG:
+@@ -1124,6 +1140,11 @@ icmp_msg_stats_table_handler(netsnmp_mib_handler          *handler,
+                     continue;
+                 table_info = netsnmp_extract_table_info(request);
+                 subid = table_info->colnum;
++                DEBUGMSGTL(( "mibII/icmpMsgStatsTable", "oid: " ));
++                DEBUGMSGOID(( "mibII/icmpMsgStatsTable", request->requestvb->name,
++                                 request->requestvb->name_length ));
++                DEBUGMSG(( "mibII/icmpMsgStatsTable", " In %d Out %d Flags 0x%x\n",
++                                 entry->icmpMsgStatsInPkts, entry->icmpMsgStatsOutPkts, entry->flags ));
+ 
+                 switch (subid) {
+                     case ICMP_MSG_STAT_IN_PKTS:
+diff --git a/agent/mibgroup/mibII/kernel_linux.c b/agent/mibgroup/mibII/kernel_linux.c
+index 397365c..26b899c 100644
+--- a/agent/mibgroup/mibII/kernel_linux.c
++++ b/agent/mibgroup/mibII/kernel_linux.c
+@@ -76,9 +76,9 @@ decode_icmp_msg(char *line, char *data, struct icmp4_msg_mib *msg)
+             index = strtol(token, &delim, 0);
+             if (ERANGE == errno) {
+                 continue;
+-            } else if (index > LONG_MAX) {
++            } else if (index > 255) {
+                 continue;
+-            } else if (index < LONG_MIN) {
++            } else if (index < 0) {
+                 continue;
+             }
+             if (NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
+@@ -89,9 +89,9 @@ decode_icmp_msg(char *line, char *data, struct icmp4_msg_mib *msg)
+             index = strtol(token, &delim, 0);
+             if (ERANGE == errno) {
+                 continue;
+-            } else if (index > LONG_MAX) {
++            } else if (index > 255) {
+                 continue;
+-            } else if (index < LONG_MIN) {
++            } else if (index < 0) {
+                 continue;
+             }
+             if(NULL == (token = strtok_r(dataptr, " ", &saveptr1)))
+@@ -419,14 +419,21 @@ linux_read_icmp6_parse(struct icmp6_mib *icmp6stat,
+ 
+         vals = name;
+         if (NULL != icmp6msgstat) {
++            int type;
+             if (0 == strncmp(name, "Icmp6OutType", 12)) {
+                 strsep(&vals, "e");
+-                icmp6msgstat->vals[atoi(vals)].OutType = stats;
++                type = atoi(vals);
++                if ( type < 0 || type > 255 )
++                    continue;
++                icmp6msgstat->vals[type].OutType = stats;
+                 *support = 1;
+                 continue;
+             } else if (0 == strncmp(name, "Icmp6InType", 11)) {
+                 strsep(&vals, "e");
+-                icmp6msgstat->vals[atoi(vals)].InType = stats;
++                type = atoi(vals);
++                if ( type < 0 || type > 255 )
++                    continue;
++                icmp6msgstat->vals[type].InType = stats;
+                 *support = 1;
+                 continue;
+             }
+diff --git a/agent/mibgroup/mibII/kernel_linux.h b/agent/mibgroup/mibII/kernel_linux.h
+index 6bf5d47..c6dfca9 100644
+--- a/agent/mibgroup/mibII/kernel_linux.h
++++ b/agent/mibgroup/mibII/kernel_linux.h
+@@ -121,11 +121,11 @@ struct icmp_msg_mib {
+ 
+ /* Lets use wrapper structures for future expansion */
+ struct icmp4_msg_mib {
+-    struct icmp_msg_mib vals[255];
++    struct icmp_msg_mib vals[256];
+ };
+ 
+ struct icmp6_msg_mib {
+-    struct icmp_msg_mib vals[255];
++    struct icmp_msg_mib vals[256];
+ };
+ 
+ struct udp_mib {
+-- 
+1.9.0
+
diff --git a/main/net-snmp/APKBUILD b/main/net-snmp/APKBUILD
index 3b2b5d3d6a..610704eeb6 100644
--- a/main/net-snmp/APKBUILD
+++ b/main/net-snmp/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@gmail.com>
 pkgname=net-snmp
 pkgver=5.7.2
-pkgrel=1
+pkgrel=2
 pkgdesc="Simple Network Management Protocol"
 url="http://www.net-snmp.org/"
 arch="all"
@@ -21,6 +21,8 @@ source="http://downloads.sourceforge.net/$pkgname/$pkgname-$pkgver.tar.gz
 	snmpd.confd
 	snmptrapd.initd
 	snmptrapd.confd
+	0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch
+	TrapReceiver.patch
 	"
 
 _builddir="$srcdir/$pkgname-$pkgver"
@@ -168,18 +170,24 @@ bd7dc10ffb5839e35ec37effcc53c2ad  netsnmp-swinst-crash.patch
 198a4a7b80557fa8112394df5ec9914e  snmpd.initd
 96510a2f3bc9f21648b03f7e8d76c0d3  snmpd.confd
 7ce3e9e880fc6313ae87eb000bae4bda  snmptrapd.initd
-363f7728a76bdfc46e29b7e1f5cf4950  snmptrapd.confd"
+363f7728a76bdfc46e29b7e1f5cf4950  snmptrapd.confd
+594219e87692de175bef154e4fcbae29  0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch
+c12d2e98d8d24eccf28d47d8abefdaf5  TrapReceiver.patch"
 sha256sums="09ed31b4cc1f3c0411ef9a16eff79ef3b30d89c32ca46d5a01a41826c4ceb816  net-snmp-5.7.2.tar.gz
 377e54bc2b66590c1c5174bf2e2c820adcbecd703d67c68be13c325d04d7d0c4  netsnmp-swinst-crash.patch
 7528f7d368a0a4536915805c065f8496c37cb99dbc74d508bed89831cd5af37e  fix-includes.patch
 2fa0a1ecd5f64827592bf55f0416cb61c6eec114aadd3e9d20aa92ce71c3a09f  snmpd.initd
 4a8eb647d8b8f25b03858e3815489eaf2cd8fd4932185f97a1d896f8ee2f85e8  snmpd.confd
 4baf3ee9950ded78078d93c32833ff657d7e85580d64778cdc9a963cf24bc7ab  snmptrapd.initd
-095647b0e5be51e2bdd398267d7450da678b7d23cae6273f9b9461a26f89d69f  snmptrapd.confd"
+095647b0e5be51e2bdd398267d7450da678b7d23cae6273f9b9461a26f89d69f  snmptrapd.confd
+9b9b783bc9bfaed1c20a180bbe4383b4f424a52690015177b2d7932848a9910a  0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch
+a7cb305031041476c708500a92244a307477ff2723d2e67912ea15490a76c007  TrapReceiver.patch"
 sha512sums="6cf9847c30d861f1c7002ca68f8317f84e7a7278ab78e92e6481a5296e0bf1e5f3525ec566002bd307d8d907699e9baef9f3919ba18d0948cc3bb550b99de882  net-snmp-5.7.2.tar.gz
 78c036f1e6b4e3592cb2a6ff9b22671c930e337e9644298a9f78b6f13af1d9241d9c15dcc996b441b51cb2d551bf2dfe5caf602ff1e17baf7b6532f3dc6ba5bd  netsnmp-swinst-crash.patch
 87a552bd2e41684bba6e87fbcf6454a85ee912d7a339411fda24cebddf7661f0856729e076a917920a542cf84b687ffd90a091daa15f2c48f0ff64f3a53c0ddb  fix-includes.patch
 ad66fef217ad9884114e9006c20074288656cf79fae19b59941545bbb551adfaaf4ec54cd0802e096a715d35c49a7c94cd4369302f847b8ba2892bd9fb62848c  snmpd.initd
 3030ad11dd556569e481f108af69aef620b1fe67be8d8d12016f4aed1f0ffdb6c2ee87c40ed5bc883986568227e097cb7aa958658e01da51576848715bf65472  snmpd.confd
 e9b29b89d27e88420932ea6ca077a6c807ae5555436cad4d840ec732b5851a498661d0d174f22d308f403904b623d7eadf9d201a539529ff57ced18bc8c58b6f  snmptrapd.initd
-9cafeece565ca09c2cc85fa9c805d9932a745aca45b999e7511ccd0ffe0a95eddc1441ed231acf52a811db124bc2f797612ebb182b0a8a959ad24506e790a0b1  snmptrapd.confd"
+9cafeece565ca09c2cc85fa9c805d9932a745aca45b999e7511ccd0ffe0a95eddc1441ed231acf52a811db124bc2f797612ebb182b0a8a959ad24506e790a0b1  snmptrapd.confd
+93aae2a50dc94e4a27d3736212c8ef67c3cd8e3563a65aaa5b7f189f80e25e6a88428e21fc44777ba0d66c5ee8d2ed70bdc17f604efdcd7eb5483a397e5dd33c  0001-bug-fix-from-fenner-fix-ICMP-mib-table-handling-on-l.patch
+ae6387f06ea1ed302f1112e95d503c5535492a4627b3d28f2c578c2f8d5a45db3ae050ba5f1b48bf57a1c1af423c2f319c689049b25a90c4ffecedcba04f7557  TrapReceiver.patch"
diff --git a/main/net-snmp/TrapReceiver.patch b/main/net-snmp/TrapReceiver.patch
new file mode 100644
index 0000000000..5f28d5ce4b
--- /dev/null
+++ b/main/net-snmp/TrapReceiver.patch
@@ -0,0 +1,26 @@
+--- net-snmp-5.7.3.pre3/perl/TrapReceiver/TrapReceiver.xs.null	2014-02-25 21:50:16.000000000 +0100
++++ net-snmp-5.7.3.pre3/perl/TrapReceiver/TrapReceiver.xs	2014-03-03 18:59:20.261766270 +0100
+@@ -81,18 +81,18 @@ int   perl_trapd_handler( netsnmp_pdu
+         STOREPDUi("securitymodel", pdu->securityModel);
+         STOREPDUi("securitylevel", pdu->securityLevel);
+         STOREPDU("contextName",
+-                 newSVpv(pdu->contextName, pdu->contextNameLen));
++                 newSVpv(pdu->contextName ? pdu->contextName : "", pdu->contextNameLen));
+         STOREPDU("contextEngineID",
+-                 newSVpv((char *) pdu->contextEngineID,
++                 newSVpv(pdu->contextEngineID ? (char *) pdu->contextEngineID : "",
+                                     pdu->contextEngineIDLen));
+         STOREPDU("securityEngineID",
+-                 newSVpv((char *) pdu->securityEngineID,
++                 newSVpv(pdu->securityEngineID ? (char *) pdu->securityEngineID : "",
+                                     pdu->securityEngineIDLen));
+         STOREPDU("securityName",
+-                 newSVpv((char *) pdu->securityName, pdu->securityNameLen));
++                 newSVpv(pdu->securityName ? (char *) pdu->securityName : "", pdu->securityNameLen));
+     } else {
+         STOREPDU("community",
+-                 newSVpv((char *) pdu->community, pdu->community_len));
++                 newSVpv(pdu->community ? (char *) pdu->community : "", pdu->community_len));
+     }
+ 
+     if (transport && transport->f_fmtaddr) {