Date: Sat, 7 Jan 2017 08:47:27 +0000 (UTC) From: Ngie Cooper <ngie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r311596 - stable/11/contrib/bsnmp/snmpd Message-ID: <201701070847.v078lRGX081785@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ngie Date: Sat Jan 7 08:47:27 2017 New Revision: 311596 URL: https://svnweb.freebsd.org/changeset/base/311596 Log: MFC r310957,r310958,r310960: r310957: Use strlcpy when copying `com` to pdu->community to avoid potential buffer overruns CID: 1006823, 1006824 r310958: Initialize ret to SNMPD_INPUT_OK at the top of snmp_input_start(..) to avoid returning an uninitialized value There are some really complicated, snakey if-statements combined with switch statements that could result in an invalid value being returned as `ret` CID: 1006551 r310960: Similar to r310954, set .len to 0 on malloc failure and to `len` only on success Modified: stable/11/contrib/bsnmp/snmpd/export.c stable/11/contrib/bsnmp/snmpd/main.c stable/11/contrib/bsnmp/snmpd/trap.c Directory Properties: stable/11/ (props changed) Modified: stable/11/contrib/bsnmp/snmpd/export.c ============================================================================== --- stable/11/contrib/bsnmp/snmpd/export.c Sat Jan 7 08:46:16 2017 (r311595) +++ stable/11/contrib/bsnmp/snmpd/export.c Sat Jan 7 08:47:27 2017 (r311596) @@ -114,9 +114,11 @@ string_get(struct snmp_value *value, con } if (len == -1) len = strlen(ptr); - value->v.octetstring.len = (u_long)len; - if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) + if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) { + value->v.octetstring.len = 0; return (SNMP_ERR_RES_UNAVAIL); + } + value->v.octetstring.len = (u_long)len; memcpy(value->v.octetstring.octets, ptr, (size_t)len); return (SNMP_ERR_NOERROR); } @@ -138,9 +140,11 @@ string_get_max(struct snmp_value *value, len = strlen(ptr); if ((size_t)len > maxlen) len = maxlen; - value->v.octetstring.len = (u_long)len; - if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) + if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) { + value->v.octetstring.len = 0; return (SNMP_ERR_RES_UNAVAIL); + } + value->v.octetstring.len = (u_long)len; memcpy(value->v.octetstring.octets, ptr, (size_t)len); return (SNMP_ERR_NOERROR); } Modified: stable/11/contrib/bsnmp/snmpd/main.c ============================================================================== --- stable/11/contrib/bsnmp/snmpd/main.c Sat Jan 7 08:46:16 2017 (r311595) +++ stable/11/contrib/bsnmp/snmpd/main.c Sat Jan 7 08:47:27 2017 (r311596) @@ -492,6 +492,8 @@ snmp_input_start(const u_char *buf, size b.asn_cptr = buf; b.asn_len = len; + ret = SNMPD_INPUT_OK; + /* look whether we have enough bytes for the entire PDU. */ switch (sret = snmp_pdu_snoop(&b)) { @@ -520,8 +522,6 @@ snmp_input_start(const u_char *buf, size } code = snmp_pdu_decode_scoped(&b, pdu, ip); - ret = SNMPD_INPUT_OK; - decoded: snmpd_stats.inPkts++; Modified: stable/11/contrib/bsnmp/snmpd/trap.c ============================================================================== --- stable/11/contrib/bsnmp/snmpd/trap.c Sat Jan 7 08:46:16 2017 (r311595) +++ stable/11/contrib/bsnmp/snmpd/trap.c Sat Jan 7 08:47:27 2017 (r311596) @@ -422,7 +422,7 @@ snmp_create_v1_trap(struct snmp_pdu *pdu const struct asn_oid *trap_oid) { memset(pdu, 0, sizeof(*pdu)); - strcpy(pdu->community, com); + strlcpy(pdu->community, com, sizeof(pdu->community)); pdu->version = SNMP_V1; pdu->type = SNMP_PDU_TRAP; @@ -439,7 +439,7 @@ snmp_create_v2_trap(struct snmp_pdu *pdu const struct asn_oid *trap_oid) { memset(pdu, 0, sizeof(*pdu)); - strcpy(pdu->community, com); + strlcpy(pdu->community, com, sizeof(pdu->community)); pdu->version = SNMP_V2c; pdu->type = SNMP_PDU_TRAP2;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701070847.v078lRGX081785>