Re: Patch for CVE-2015-5621 in 5.7.1 code base
Thanks Alex & Niels ! I could generate patch and use it. How to we test this fix ? does net-snmp has some security test suites to be used ? Sampath On Tue, Sep 1, 2015 at 1:06 AM, Alexander Bergmannwrote: > Hi Sampath, > > you need to have 'V5-7-patches' as a local branch. Otherwise you're > getting an error message. > > Just do a 'git checkout V5-7-patches' once and it should work. > > Regards, > Alex~ > > On Mon, Aug 31, 2015 at 11:22:35AM -0700, Sampathkumar Santhanakrishnan wrote: >> Hi Alex, >> Thanks for sharing this info. I tried to get the diff and it >> complains about "V5-7-patches". >> >> git diff v5.7.1 V5-7-patches snmplib/snmp_api.c > fix-5.7.1.patch >> fatal: ambiguous argument 'V5-7-patches': unknown revision or path not >> in the working tree. >> Use '--' to separate paths from revisions >> >> git branch >> * master >> >> Thanks & Regards, >> Sampath >> >> On Fri, Aug 28, 2015 at 5:41 AM, Alexander Bergmann >> wrote: >> > Hi Sampathkumar, >> > >> > you can use git to get you a patch diff for this fix. >> > >> > Just clone the repo and run the following command. >> > >> > #> git diff v5.7.1 V5-7-patches snmplib/snmp_api.c > fix-5.7.1.patch >> > >> > Then edit the file and delete everything execpt of changes inside the >> > snmp_pdu_parse() function. Double check with the original fix and you >> > are done. >> > >> > Hope that helps, >> > Alex~ >> > >> > On Thu, Aug 27, 2015 at 12:25:41AM -0700, Sampathkumar Santhanakrishnan >> > wrote: >> >> Hello, >> >> I am looking for net-snmp 5.7.1 based patch for CVE-2015-5621 >> >> >> >> "The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and >> >> earlier does not remove the varBind variable in a >> >> netsnmp_variable_list item when parsing of the SNMP PDU fails, which >> >> allows remote attackers to cause a denial of service (crash) and >> >> possibly execute arbitrary code via a crafted packet." >> >> >> >> Can someone help on this ? >> >> >> >> Thanks & Regards, >> >> Sampajtj >> >> >> >> -- >> >> ___ >> >> Net-snmp-coders mailing list >> >> Net-snmp-coders@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders >> >> >> > >> > -- >> > Alexander Bergmann , Security Engineer, >> > SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, >> > Graham Norton, HRB 21284 (AG Nürnberg) >> > > -- > Alexander Bergmann , Security Engineer, > SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, > Graham Norton, HRB 21284 (AG Nürnberg) -- Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991=/4140 ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: Patch for CVE-2015-5621 in 5.7.1 code base
On Mon, Aug 31, 2015 at 11:22:35AM -0700, Sampathkumar Santhanakrishnan wrote: > Hi Alex, > Thanks for sharing this info. I tried to get the diff and it > complains about "V5-7-patches". This works: git diff 345b9633ea4df23b863cba5defe5187d81fc505d^ 345b9633ea4df23b863cba5defe5187d81fc505d >patch Here is the patch /Niels -- Niels Baggesen - @home - Århus - Denmark - n...@users.sourceforge.net The purpose of computing is insight, not numbers --- R W Hamming diff --git a/snmplib/snmp_api.c b/snmplib/snmp_api.c index d0a4021..7f746bb 100644 --- a/snmplib/snmp_api.c +++ b/snmplib/snmp_api.c @@ -4352,10 +4352,9 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length) u_char type; u_char msg_type; u_char *var_val; -int badtype = 0; size_t len; size_t four; -netsnmp_variable_list *vp = NULL; +netsnmp_variable_list *vp = NULL, *vplast = NULL; oid objid[MAX_OID_LEN]; u_char *p; @@ -4495,38 +4494,24 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length) (ASN_SEQUENCE | ASN_CONSTRUCTOR), "varbinds"); if (data == NULL) -return -1; +goto fail; /* * get each varBind sequence */ while ((int) *length > 0) { -netsnmp_variable_list *vptemp; -vptemp = (netsnmp_variable_list *) malloc(sizeof(*vptemp)); -if (NULL == vptemp) { -return -1; -} -if (NULL == vp) { -pdu->variables = vptemp; -} else { -vp->next_variable = vptemp; -} -vp = vptemp; +vp = SNMP_MALLOC_TYPEDEF(netsnmp_variable_list); +if (NULL == vp) +goto fail; -vp->next_variable = NULL; -vp->val.string = NULL; vp->name_length = MAX_OID_LEN; -vp->name = NULL; -vp->index = 0; -vp->data = NULL; -vp->dataFreeHook = NULL; DEBUGDUMPSECTION("recv", "VarBind"); data = snmp_parse_var_op(data, objid, >name_length, >type, >val_len, _val, length); if (data == NULL) -return -1; +goto fail; if (snmp_set_var_objid(vp, objid, vp->name_length)) -return -1; +goto fail; len = MAX_PACKET_LENGTH; DEBUGDUMPHEADER("recv", "Value"); @@ -4606,7 +4591,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length) vp->val.string = (u_char *) malloc(vp->val_len); } if (vp->val.string == NULL) { -return -1; +goto fail; } p = asn_parse_string(var_val, , >type, vp->val.string, >val_len); @@ -4621,7 +4606,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length) vp->val_len *= sizeof(oid); vp->val.objid = (oid *) malloc(vp->val_len); if (vp->val.objid == NULL) { -return -1; +goto fail; } memmove(vp->val.objid, objid, vp->val_len); break; @@ -4633,7 +4618,7 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length) case ASN_BIT_STR: vp->val.bitstring = (u_char *) malloc(vp->val_len); if (vp->val.bitstring == NULL) { -return -1; +goto fail; } p = asn_parse_bitstring(var_val, , >type, vp->val.bitstring, >val_len); @@ -4642,12 +4627,28 @@ snmp_pdu_parse(netsnmp_pdu *pdu, u_char * data, size_t * length) break; default: snmp_log(LOG_ERR, "bad type returned (%x)\n", vp->type); -badtype = -1; +goto fail; break; } DEBUGINDENTADD(-4); + +if (NULL == vplast) { +pdu->variables = vp; +} else { +vplast->next_variable = vp; +} +vplast = vp; +vp = NULL; } -return badtype; +return 0; + + fail: +DEBUGMSGTL(("recv", "error while parsing VarBindList\n")); +/** if we were parsing a var, remove it from the pdu and free it */ +if (vp) +snmp_free_var(vp); + +return -1; } /* -- ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: Patch for CVE-2015-5621 in 5.7.1 code base
Hi Sampath, you need to have 'V5-7-patches' as a local branch. Otherwise you're getting an error message. Just do a 'git checkout V5-7-patches' once and it should work. Regards, Alex~ On Mon, Aug 31, 2015 at 11:22:35AM -0700, Sampathkumar Santhanakrishnan wrote: > Hi Alex, > Thanks for sharing this info. I tried to get the diff and it > complains about "V5-7-patches". > > git diff v5.7.1 V5-7-patches snmplib/snmp_api.c > fix-5.7.1.patch > fatal: ambiguous argument 'V5-7-patches': unknown revision or path not > in the working tree. > Use '--' to separate paths from revisions > > git branch > * master > > Thanks & Regards, > Sampath > > On Fri, Aug 28, 2015 at 5:41 AM, Alexander Bergmann> wrote: > > Hi Sampathkumar, > > > > you can use git to get you a patch diff for this fix. > > > > Just clone the repo and run the following command. > > > > #> git diff v5.7.1 V5-7-patches snmplib/snmp_api.c > fix-5.7.1.patch > > > > Then edit the file and delete everything execpt of changes inside the > > snmp_pdu_parse() function. Double check with the original fix and you > > are done. > > > > Hope that helps, > > Alex~ > > > > On Thu, Aug 27, 2015 at 12:25:41AM -0700, Sampathkumar Santhanakrishnan > > wrote: > >> Hello, > >> I am looking for net-snmp 5.7.1 based patch for CVE-2015-5621 > >> > >> "The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and > >> earlier does not remove the varBind variable in a > >> netsnmp_variable_list item when parsing of the SNMP PDU fails, which > >> allows remote attackers to cause a denial of service (crash) and > >> possibly execute arbitrary code via a crafted packet." > >> > >> Can someone help on this ? > >> > >> Thanks & Regards, > >> Sampajtj > >> > >> -- > >> ___ > >> Net-snmp-coders mailing list > >> Net-snmp-coders@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders > >> > > > > -- > > Alexander Bergmann , Security Engineer, > > SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, > > Graham Norton, HRB 21284 (AG Nürnberg) > -- Alexander Bergmann , Security Engineer, SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) signature.asc Description: Digital signature -- ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: Patch for CVE-2015-5621 in 5.7.1 code base
Hi Alex, Thanks for sharing this info. I tried to get the diff and it complains about "V5-7-patches". git diff v5.7.1 V5-7-patches snmplib/snmp_api.c > fix-5.7.1.patch fatal: ambiguous argument 'V5-7-patches': unknown revision or path not in the working tree. Use '--' to separate paths from revisions git branch * master Thanks & Regards, Sampath On Fri, Aug 28, 2015 at 5:41 AM, Alexander Bergmannwrote: > Hi Sampathkumar, > > you can use git to get you a patch diff for this fix. > > Just clone the repo and run the following command. > > #> git diff v5.7.1 V5-7-patches snmplib/snmp_api.c > fix-5.7.1.patch > > Then edit the file and delete everything execpt of changes inside the > snmp_pdu_parse() function. Double check with the original fix and you > are done. > > Hope that helps, > Alex~ > > On Thu, Aug 27, 2015 at 12:25:41AM -0700, Sampathkumar Santhanakrishnan wrote: >> Hello, >> I am looking for net-snmp 5.7.1 based patch for CVE-2015-5621 >> >> "The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and >> earlier does not remove the varBind variable in a >> netsnmp_variable_list item when parsing of the SNMP PDU fails, which >> allows remote attackers to cause a denial of service (crash) and >> possibly execute arbitrary code via a crafted packet." >> >> Can someone help on this ? >> >> Thanks & Regards, >> Sampajtj >> >> -- >> ___ >> Net-snmp-coders mailing list >> Net-snmp-coders@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/net-snmp-coders >> > > -- > Alexander Bergmann , Security Engineer, > SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, > Graham Norton, HRB 21284 (AG Nürnberg) -- ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Re: Patch for CVE-2015-5621 in 5.7.1 code base
Hi Sampathkumar, you can use git to get you a patch diff for this fix. Just clone the repo and run the following command. # git diff v5.7.1 V5-7-patches snmplib/snmp_api.c fix-5.7.1.patch Then edit the file and delete everything execpt of changes inside the snmp_pdu_parse() function. Double check with the original fix and you are done. Hope that helps, Alex~ On Thu, Aug 27, 2015 at 12:25:41AM -0700, Sampathkumar Santhanakrishnan wrote: Hello, I am looking for net-snmp 5.7.1 based patch for CVE-2015-5621 The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet. Can someone help on this ? Thanks Regards, Sampajtj -- ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders -- Alexander Bergmann abergm...@suse.com, Security Engineer, SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) signature.asc Description: Digital signature -- ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
Patch for CVE-2015-5621 in 5.7.1 code base
Hello, I am looking for net-snmp 5.7.1 based patch for CVE-2015-5621 The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet. Can someone help on this ? Thanks Regards, Sampajtj -- ___ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders