net-snmp: CVE-2022-44792 & CVE-2022-44793 Fix NULL Pointer Exception

Upstream-Status: Backport from https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Hitendra Prajapati <hprajapati@mvista.com> 2023-01-20 10:37:43 +0530
committer: Armin Kuster <akuster808@gmail.com> 2023-02-22 11:24:23 -0500
commit: d07c7f658fb63c21b172523972885348fc11d974 (patch)
tree: c80c147cf5177aab59b5312e648db89b5acd37ab
parent: 56403db5e393ca9ccf4ede6ea19ff212984a27c4 (diff)
download: meta-openembedded-d07c7f658fb63c21b172523972885348fc11d974.tar.gz
2 files changed, 117 insertions, 0 deletions
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch
new file mode 100644
index 0000000000..4e537c8859
--- /dev/null
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch
@@ -0,0 +1,116 @@
+From 4589352dac3ae111c7621298cf231742209efd9b Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Fri, 25 Nov 2022 08:41:24 -0800
+Subject: [PATCH ] snmp_agent: disallow SET with NULL varbind
+Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57]
+CVE: CVE-2022-44792 & CVE-2022-44793
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ agent/snmp_agent.c                            | 32 +++++++++++++++++++
+ apps/snmpset.c                                |  1 +
+ .../default/T0142snmpv2csetnull_simple        | 31 ++++++++++++++++++
+ 3 files changed, 64 insertions(+)
+ create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple
+diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
+index 26653f4..eba5b4e 100644
+--- a/agent/snmp_agent.c
+++ b/agent/snmp_agent.c
+@@ -3708,12 +3708,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
+     return 1;
+ }
+ 
+static int
+check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
+{
+    int i;
+    netsnmp_variable_list *v = NULL;
+
+    for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
+       if (v->type == ASN_NULL) {
+           /*
+            * Protect SET implementations that do not protect themselves
+            * against wrong type.
+            */
+           DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
+           asp->index = i;
+           return SNMP_ERR_WRONGTYPE;
+       }
+    }
+    return SNMP_ERR_NOERROR;
+}
+
+ int
+ handle_pdu(netsnmp_agent_session *asp)
+ {
+     int             status, inclusives = 0;
+     netsnmp_variable_list *v = NULL;
+ 
+#ifndef NETSNMP_NO_WRITE_SUPPORT
+    /*
+     * Check for ASN_NULL in SET request
+     */
+    if (asp->pdu->command == SNMP_MSG_SET) {
+       status = check_set_pdu_for_null_varbind(asp);
+       if (status != SNMP_ERR_NOERROR) {
+           return status;
+       }
+    }
+#endif /* NETSNMP_NO_WRITE_SUPPORT */
+
+     /*
+      * for illegal requests, mark all nodes as ASN_NULL 
+      */
+diff --git a/apps/snmpset.c b/apps/snmpset.c
+index a2374bc..cd01b9a 100644
+--- a/apps/snmpset.c
+++ b/apps/snmpset.c
+@@ -182,6 +182,7 @@ main(int argc, char *argv[])
+             case 'x':
+             case 'd':
+             case 'b':
+            case 'n': /* undocumented */
+ #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
+             case 'I':
+             case 'U':
+diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple
+new file mode 100644
+index 0000000..0f1b8f3
+--- /dev/null
+++ b/testing/fulltests/default/T0142snmpv2csetnull_simple
+@@ -0,0 +1,31 @@
+#!/bin/sh
+
+. ../support/simple_eval_tools.sh
+
+HEADER SNMPv2c set of system.sysContact.0 with NULL varbind
+
+SKIPIF NETSNMP_DISABLE_SET_SUPPORT
+SKIPIF NETSNMP_NO_WRITE_SUPPORT
+SKIPIF NETSNMP_DISABLE_SNMPV2C
+SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE
+
+#
+# Begin test
+#
+
+# standard V2C configuration: testcomunnity
+snmp_write_access='all'
+. ./Sv2cconfig
+STARTAGENT
+
+CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0"
+
+CHECK ".1.3.6.1.2.1.1.4.0 = STRING:"
+
+CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x"
+
+CHECK "Reason: wrongType"
+
+STOPAGENT
+
+FINISHED
+-- 
+2.25.1
diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
index 6b4b6ce8ed..79f2c1d89d 100644
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
@@ -35,6 +35,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
           file://CVE-2020-15861-0004.patch \
           file://CVE-2020-15861-0005.patch \
           file://CVE-2020-15862.patch \
+           file://CVE-2022-44792-CVE-2022-44793.patch \
           "
 SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a"
 SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf"
author	Hitendra Prajapati <hprajapati@mvista.com>	2023-01-20 10:37:43 +0530
committer	Armin Kuster <akuster808@gmail.com>	2023-02-22 11:24:23 -0500
commit	d07c7f658fb63c21b172523972885348fc11d974 (patch)
tree	c80c147cf5177aab59b5312e648db89b5acd37ab
parent	56403db5e393ca9ccf4ede6ea19ff212984a27c4 (diff)
download	meta-openembedded-d07c7f658fb63c21b172523972885348fc11d974.tar.gz

diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch new file mode 100644 index 0000000000..4e537c8859 --- /dev/null +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2022-44792-CVE-2022-44793.patch
@@ -0,0 +1,116 @@
		1	From 4589352dac3ae111c7621298cf231742209efd9b Mon Sep 17 00:00:00 2001
		2	From: Bill Fenner <fenner@gmail.com>
		3	Date: Fri, 25 Nov 2022 08:41:24 -0800
		4	Subject: [PATCH ] snmp_agent: disallow SET with NULL varbind
		5
		6	Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57]
		7	CVE: CVE-2022-44792 & CVE-2022-44793
		8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
		9	---
		10	agent/snmp_agent.c \| 32 +++++++++++++++++++
		11	apps/snmpset.c \| 1 +
		12	.../default/T0142snmpv2csetnull_simple \| 31 ++++++++++++++++++
		13	3 files changed, 64 insertions(+)
		14	create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple
		15
		16	diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
		17	index 26653f4..eba5b4e 100644
		18	--- a/agent/snmp_agent.c
		19	+++ b/agent/snmp_agent.c
		20	@@ -3708,12 +3708,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
		21	return 1;
		22	}
		23
		24	+static int
		25	+check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
		26	+{
		27	+ int i;
		28	+ netsnmp_variable_list *v = NULL;
		29	+
		30	+ for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
		31	+ if (v->type == ASN_NULL) {
		32	+ /*
		33	+ * Protect SET implementations that do not protect themselves
		34	+ * against wrong type.
		35	+ */
		36	+ DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
		37	+ asp->index = i;
		38	+ return SNMP_ERR_WRONGTYPE;
		39	+ }
		40	+ }
		41	+ return SNMP_ERR_NOERROR;
		42	+}
		43	+
		44	int
		45	handle_pdu(netsnmp_agent_session *asp)
		46	{
		47	int status, inclusives = 0;
		48	netsnmp_variable_list *v = NULL;
		49
		50	+#ifndef NETSNMP_NO_WRITE_SUPPORT
		51	+ /*
		52	+ * Check for ASN_NULL in SET request
		53	+ */
		54	+ if (asp->pdu->command == SNMP_MSG_SET) {
		55	+ status = check_set_pdu_for_null_varbind(asp);
		56	+ if (status != SNMP_ERR_NOERROR) {
		57	+ return status;
		58	+ }
		59	+ }
		60	+#endif /* NETSNMP_NO_WRITE_SUPPORT */
		61	+
		62	/*
		63	* for illegal requests, mark all nodes as ASN_NULL
		64	*/
		65	diff --git a/apps/snmpset.c b/apps/snmpset.c
		66	index a2374bc..cd01b9a 100644
		67	--- a/apps/snmpset.c
		68	+++ b/apps/snmpset.c
		69	@@ -182,6 +182,7 @@ main(int argc, char *argv[])
		70	case 'x':
		71	case 'd':
		72	case 'b':
		73	+ case 'n': /* undocumented */
		74	#ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
		75	case 'I':
		76	case 'U':
		77	diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple
		78	new file mode 100644
		79	index 0000000..0f1b8f3
		80	--- /dev/null
		81	+++ b/testing/fulltests/default/T0142snmpv2csetnull_simple
		82	@@ -0,0 +1,31 @@
		83	+#!/bin/sh
		84	+
		85	+. ../support/simple_eval_tools.sh
		86	+
		87	+HEADER SNMPv2c set of system.sysContact.0 with NULL varbind
		88	+
		89	+SKIPIF NETSNMP_DISABLE_SET_SUPPORT
		90	+SKIPIF NETSNMP_NO_WRITE_SUPPORT
		91	+SKIPIF NETSNMP_DISABLE_SNMPV2C
		92	+SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE
		93	+
		94	+#
		95	+# Begin test
		96	+#
		97	+
		98	+# standard V2C configuration: testcomunnity
		99	+snmp_write_access='all'
		100	+. ./Sv2cconfig
		101	+STARTAGENT
		102	+
		103	+CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0"
		104	+
		105	+CHECK ".1.3.6.1.2.1.1.4.0 = STRING:"
		106	+
		107	+CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x"
		108	+
		109	+CHECK "Reason: wrongType"
		110	+
		111	+STOPAGENT
		112	+
		113	+FINISHED
		114	--
		115	2.25.1
		116


diff --git a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb index 6b4b6ce8ed..79f2c1d89d 100644 --- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb +++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
@@ -35,6 +35,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
35	file://CVE-2020-15861-0004.patch \	35	file://CVE-2020-15861-0004.patch \
36	file://CVE-2020-15861-0005.patch \	36	file://CVE-2020-15861-0005.patch \
37	file://CVE-2020-15862.patch \	37	file://CVE-2020-15862.patch \
		38	file://CVE-2022-44792-CVE-2022-44793.patch \
38	"	39	"
39	SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a"	40	SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a"
40	SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf"	41	SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf"