[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/net-snmp/F-7 net-snmp-5.4-maxreps.patch, NONE, 1.1 net-snmp.spec, 1.119, 1.120



Author: jsafrane

Update of /cvs/pkgs/rpms/net-snmp/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv22644

Modified Files:
	net-snmp.spec 
Added Files:
	net-snmp-5.4-maxreps.patch 
Log Message:
fix remote DoS attack (CVE-2007-5846)

net-snmp-5.4-maxreps.patch:

--- NEW FILE net-snmp-5.4-maxreps.patch ---
Index: man/snmpd.conf.5.def
===================================================================
--- man/snmpd.conf.5.def	(revision 16338)
+++ man/snmpd.conf.5.def	(working copy)
@@ -71,6 +71,28 @@
 .IP "leave_pidfile yes"
 instructs the agent to not remove its pid file on shutdown. Equivalent to
 specifying "-U" on the command line.
+.IP "maxGetbulkRepeats NUM"
+Sets the maximum number of responses allowed for a single variable in
+a getbulk request.  Set to 0 to enable the default and set it to -1 to
+enable unlimited.  Because memory is allocated ahead of time, sitting
+this to unlimited is not considered safe if your user population can
+not be trusted.  A repeat number greater than this will be truncated
+to this value.
+.IP
+This is set by default to -1.
+.IP "maxGetbulkResponses NUM"
+Sets the maximum number of responses allowed for a getbulk request.
+This is set by default to 100.  Set to 0 to enable the default and set
+it to -1 to enable unlimited.  Because memory is allocated ahead of
+time, sitting this to unlimited is not considered safe if your user
+population can not be trusted.
+.IP
+In general, the total number of responses will not be allowed to
+exceed the maxGetbulkResponses number and the total number returned
+will be an integer multiple of the number of variables requested times
+the calculated number of repeats allow to fit below this number.
+.IP
+Also not that processing of maxGetbulkRepeats is handled first.
 .SS SNMPv3 Configuration
 SNMPv3 requires an SNMP agent to define a unique "engine ID"
 in order to respond to SNMPv3 requests.
Index: include/net-snmp/agent/ds_agent.h
===================================================================
--- include/net-snmp/agent/ds_agent.h	(revision 16338)
+++ include/net-snmp/agent/ds_agent.h	(working copy)
@@ -59,5 +59,7 @@
 #define NETSNMP_DS_AGENT_CACHE_TIMEOUT  10      /* default cache timeout */
 #define NETSNMP_DS_AGENT_INTERNAL_VERSION  11   /* used by internal queries */
 #define NETSNMP_DS_AGENT_INTERNAL_SECLEVEL 12   /* used by internal queries */
+#define NETSNMP_DS_AGENT_MAX_GETBULKREPEATS 13 /* max getbulk repeats */
+#define NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES 14   /* max getbulk respones */
 
 #endif
Index: agent/agent_read_config.c
===================================================================
--- agent/agent_read_config.c	(revision 16338)
+++ agent/agent_read_config.c	(working copy)
@@ -258,6 +258,12 @@
     netsnmp_ds_register_config(ASN_BOOLEAN, app, "dontLogTCPWrappersConnects",
                                NETSNMP_DS_APPLICATION_ID,
                                NETSNMP_DS_AGENT_DONT_LOG_TCPWRAPPERS_CONNECTS);
+    netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkRepeats",
+                               NETSNMP_DS_APPLICATION_ID,
+                               NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
+    netsnmp_ds_register_config(ASN_INTEGER, app, "maxGetbulkResponses",
+                               NETSNMP_DS_APPLICATION_ID,
+                               NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
     netsnmp_init_handler_conf();
 
 #include "agent_module_dot_conf.h"
Index: agent/snmp_agent.c
===================================================================
--- agent/snmp_agent.c	(revision 16338)
+++ agent/snmp_agent.c	(working copy)
@@ -2156,7 +2156,6 @@
          * getbulk prep 
          */
         int             count = count_varbinds(asp->pdu->variables);
-
         if (asp->pdu->errstat < 0) {
             asp->pdu->errstat = 0;
         }
@@ -2173,8 +2172,37 @@
             r = 0;
             asp->bulkcache = NULL;
         } else {
+            int numresponses;
+            int           maxbulk =
+                netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
+                                   NETSNMP_DS_AGENT_MAX_GETBULKREPEATS);
+            int maxresponses =
+                netsnmp_ds_get_int(NETSNMP_DS_APPLICATION_ID,
+                                   NETSNMP_DS_AGENT_MAX_GETBULKRESPONSES);
+
+            if (maxresponses == 0)
+                maxresponses = 100;   /* more than reasonable default */
+
+            if (maxbulk == 0)
+                maxbulk = -1;
+
+            /* limit getbulk number of repeats to a configured size */
+            if (asp->pdu->errindex > maxbulk && maxbulk != -1) {
+                asp->pdu->errindex = maxbulk;
+            }
+
+            numresponses = asp->pdu->errindex * r;
+
+            /* limit getbulk number of getbulk responses to a configured size */
+            if (maxresponses != -1 && numresponses > maxresponses) {
+                /* attempt to truncate this */
+                asp->pdu->errindex = maxresponses/r;
+                numresponses = asp->pdu->errindex * r;
+                DEBUGMSGTL(("snmp_agent", "truncating number of getbulk repeats to %d\n", asp->pdu->errindex));
+            }
+
             asp->bulkcache =
-                (netsnmp_variable_list **) malloc(asp->pdu->errindex * r *
+                (netsnmp_variable_list **) malloc(numresponses *
                                                   sizeof(struct
                                                          varbind_list *));
             if (!asp->bulkcache) {
@@ -2184,6 +2212,8 @@
         }
         DEBUGMSGTL(("snmp_agent", "GETBULK N = %d, M = %d, R = %d\n",
                     n, asp->pdu->errindex, r));
+        fprintf(stderr, "GETBULK N = %d, M = %d, R = %d\n",
+                n, asp->pdu->errindex, r);
     }
 
     /*


Index: net-snmp.spec
===================================================================
RCS file: /cvs/pkgs/rpms/net-snmp/F-7/net-snmp.spec,v
retrieving revision 1.119
retrieving revision 1.120
diff -u -r1.119 -r1.120
--- net-snmp.spec	22 Oct 2007 11:29:50 -0000	1.119
+++ net-snmp.spec	9 Nov 2007 14:28:06 -0000	1.120
@@ -45,6 +45,7 @@
 Patch21: net-snmp-5.4-exec-crash.patch
 Patch22: net-snmp-5.4-smux-password.patch
 Patch23: net-snmp-5.4-udp-leak.patch
+Patch24: net-snmp-5.4-maxreps.patch
 
 Requires(pre): /sbin/chkconfig
 Requires(post): /sbin/chkconfig
@@ -169,6 +170,7 @@
 %patch21 -p1 -b .exec-crash
 %patch22 -p0 -b .smux-password
 %patch23 -p0 -b .udp-leak
+%patch24 -p0 -b .maxreps
 
 # Do this patch with a perl hack...
 perl -pi -e "s|'\\\$install_libdir'|'%{_libdir}'|" ltmain.sh
@@ -377,6 +379,7 @@
 - License: field fixed to "BSD and CMU"
 - fix hrSWInst (#250237)
 - fix leak in UDP transport (#247771)
+- fix remote DoS attack (CVE-2007-5846)
 
 * Mon Oct  8 2007 Jan Safranek <jsafranek redhat com> 5.4-15
 - License: field changed to MIT


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]