Author: ngie
Date: Sat Jan 7 08:48:51 2017
New Revision: 311597
URL: https://svnweb.freebsd.org/changeset/base/311597
Log:
MFC r310957,r310958,r310960:
r310957:
Use strlcpy when copying `com` to pdu->community to avoid potential
buffer overruns
CID: 1006823, 1006824
r310958:
Initialize ret to SNMPD_INPUT_OK at the top of snmp_input_start(..) to
avoid returning an uninitialized value
There are some really complicated, snakey if-statements combined with
switch statements that could result in an invalid value being returned
as `ret`
CID: 1006551
r310960:
Similar to r310954, set .len to 0 on malloc failure and to `len` only
on success
Modified:
stable/10/contrib/bsnmp/snmpd/export.c
stable/10/contrib/bsnmp/snmpd/main.c
stable/10/contrib/bsnmp/snmpd/trap.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/contrib/bsnmp/snmpd/export.c
==============================================================================
--- stable/10/contrib/bsnmp/snmpd/export.c Sat Jan 7 08:47:27 2017
(r311596)
+++ stable/10/contrib/bsnmp/snmpd/export.c Sat Jan 7 08:48:51 2017
(r311597)
@@ -114,9 +114,11 @@ string_get(struct snmp_value *value, con
}
if (len == -1)
len = strlen(ptr);
- value->v.octetstring.len = (u_long)len;
- if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL)
+ if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) {
+ value->v.octetstring.len = 0;
return (SNMP_ERR_RES_UNAVAIL);
+ }
+ value->v.octetstring.len = (u_long)len;
memcpy(value->v.octetstring.octets, ptr, (size_t)len);
return (SNMP_ERR_NOERROR);
}
@@ -138,9 +140,11 @@ string_get_max(struct snmp_value *value,
len = strlen(ptr);
if ((size_t)len > maxlen)
len = maxlen;
- value->v.octetstring.len = (u_long)len;
- if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL)
+ if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) {
+ value->v.octetstring.len = 0;
return (SNMP_ERR_RES_UNAVAIL);
+ }
+ value->v.octetstring.len = (u_long)len;
memcpy(value->v.octetstring.octets, ptr, (size_t)len);
return (SNMP_ERR_NOERROR);
}
Modified: stable/10/contrib/bsnmp/snmpd/main.c
==============================================================================
--- stable/10/contrib/bsnmp/snmpd/main.c Sat Jan 7 08:47:27 2017
(r311596)
+++ stable/10/contrib/bsnmp/snmpd/main.c Sat Jan 7 08:48:51 2017
(r311597)
@@ -492,6 +492,8 @@ snmp_input_start(const u_char *buf, size
b.asn_cptr = buf;
b.asn_len = len;
+ ret = SNMPD_INPUT_OK;
+
/* look whether we have enough bytes for the entire PDU. */
switch (sret = snmp_pdu_snoop(&b)) {
@@ -520,8 +522,6 @@ snmp_input_start(const u_char *buf, size
}
code = snmp_pdu_decode_scoped(&b, pdu, ip);
- ret = SNMPD_INPUT_OK;
-
decoded:
snmpd_stats.inPkts++;
Modified: stable/10/contrib/bsnmp/snmpd/trap.c
==============================================================================
--- stable/10/contrib/bsnmp/snmpd/trap.c Sat Jan 7 08:47:27 2017
(r311596)
+++ stable/10/contrib/bsnmp/snmpd/trap.c Sat Jan 7 08:48:51 2017
(r311597)
@@ -422,7 +422,7 @@ snmp_create_v1_trap(struct snmp_pdu *pdu
const struct asn_oid *trap_oid)
{
memset(pdu, 0, sizeof(*pdu));
- strcpy(pdu->community, com);
+ strlcpy(pdu->community, com, sizeof(pdu->community));
pdu->version = SNMP_V1;
pdu->type = SNMP_PDU_TRAP;
@@ -439,7 +439,7 @@ snmp_create_v2_trap(struct snmp_pdu *pdu
const struct asn_oid *trap_oid)
{
memset(pdu, 0, sizeof(*pdu));
- strcpy(pdu->community, com);
+ strlcpy(pdu->community, com, sizeof(pdu->community));
pdu->version = SNMP_V2c;
pdu->type = SNMP_PDU_TRAP2;
_______________________________________________
svn-src-stable-10@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-stable-10
To unsubscribe, send any mail to "svn-src-stable-10-unsubscr...@freebsd.org"
