package/netsnmp/0001-snmp_agent-disallow-SET-with-NULL-varbind.patch - buildroot - Git at Google

 From b07627fa67c686b07d1eab123cf3e4887a2a93aa Mon Sep 17 00:00:00 2001
 From: Bill Fenner <fenner@gmail.com>
 Date: Fri, 25 Nov 2022 08:41:24 -0800
 Subject: [PATCH] snmp_agent: disallow SET with NULL varbind

 Upstream: https://github.com/net-snmp/net-snmp/commit/4589352dac3ae111c7621298cf231742209efd9b

 [Thomas: this commit was merged as part of
 https://github.com/net-snmp/net-snmp/pull/490/commits, which fixes
 https://github.com/net-snmp/net-snmp/issues/474 (CVE-2022-44792) and
 https://github.com/net-snmp/net-snmp/issues/475 (CVE-2022-44793). The
 other two commits merged as part of this pull request are related to
 adding a non-regression test for this, which is not relevant for the
 security fix itself.]

 Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
 ---
  agent/snmp_agent.c | 32 ++++++++++++++++++++++++++++++++
  1 file changed, 32 insertions(+)

 diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
 index 867d0c166f..3f678fe2df 100644
 --- a/agent/snmp_agent.c
 +++ b/agent/snmp_agent.c
 @@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
      return 1;
  }

 +static int
 +check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
 +{
 +    int i;
 +    netsnmp_variable_list *v = NULL;
 +
 +    for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
 +	if (v->type == ASN_NULL) {
 +	    /*
 +	     * Protect SET implementations that do not protect themselves
 +	     * against wrong type.
 +	     */
 +	    DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
 +	    asp->index = i;
 +	    return SNMP_ERR_WRONGTYPE;
 +	}
 +    }
 +    return SNMP_ERR_NOERROR;
 +}
 +
  int
  handle_pdu(netsnmp_agent_session *asp)
  {
      int             status, inclusives = 0;
      netsnmp_variable_list *v = NULL;

 +#ifndef NETSNMP_NO_WRITE_SUPPORT
 +    /*
 +     * Check for ASN_NULL in SET request
 +     */
 +    if (asp->pdu->command == SNMP_MSG_SET) {
 +	status = check_set_pdu_for_null_varbind(asp);
 +	if (status != SNMP_ERR_NOERROR) {
 +	    return status;
 +	}
 +    }
 +#endif /* NETSNMP_NO_WRITE_SUPPORT */
 +
      /*
       * for illegal requests, mark all nodes as ASN_NULL
       */
 --
 2.41.0
	From b07627fa67c686b07d1eab123cf3e4887a2a93aa Mon Sep 17 00:00:00 2001
	From: Bill Fenner <fenner@gmail.com>
	Date: Fri, 25 Nov 2022 08:41:24 -0800
	Subject: [PATCH] snmp_agent: disallow SET with NULL varbind

	Upstream: https://github.com/net-snmp/net-snmp/commit/4589352dac3ae111c7621298cf231742209efd9b

	[Thomas: this commit was merged as part of
	https://github.com/net-snmp/net-snmp/pull/490/commits, which fixes
	https://github.com/net-snmp/net-snmp/issues/474 (CVE-2022-44792) and
	https://github.com/net-snmp/net-snmp/issues/475 (CVE-2022-44793). The
	other two commits merged as part of this pull request are related to
	adding a non-regression test for this, which is not relevant for the
	security fix itself.]

	Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
	---
	agent/snmp_agent.c \| 32 ++++++++++++++++++++++++++++++++
	1 file changed, 32 insertions(+)

	diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
	index 867d0c166f..3f678fe2df 100644
	--- a/agent/snmp_agent.c
	+++ b/agent/snmp_agent.c
	@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
	return 1;
	}

	+static int
	+check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
	+{
	+ int i;
	+ netsnmp_variable_list *v = NULL;
	+
	+ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
	+ if (v->type == ASN_NULL) {
	+ /*
	+ * Protect SET implementations that do not protect themselves
	+ * against wrong type.
	+ */
	+ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
	+ asp->index = i;
	+ return SNMP_ERR_WRONGTYPE;
	+ }
	+ }
	+ return SNMP_ERR_NOERROR;
	+}
	+
	int
	handle_pdu(netsnmp_agent_session *asp)
	{
	int status, inclusives = 0;
	netsnmp_variable_list *v = NULL;

	+#ifndef NETSNMP_NO_WRITE_SUPPORT
	+ /*
	+ * Check for ASN_NULL in SET request
	+ */
	+ if (asp->pdu->command == SNMP_MSG_SET) {
	+ status = check_set_pdu_for_null_varbind(asp);
	+ if (status != SNMP_ERR_NOERROR) {
	+ return status;
	+ }
	+ }
	+#endif /* NETSNMP_NO_WRITE_SUPPORT */
	+
	/*
	* for illegal requests, mark all nodes as ASN_NULL
	*/
	--
	2.41.0