svn commit: r311596 - stable/11/contrib/bsnmp/snmpd

Sat Jan 7 08:47:28 UTC 2017

Author: ngie
Date: Sat Jan  7 08:47:27 2017
New Revision: 311596
URL: https://svnweb.freebsd.org/changeset/base/311596

Log:
  MFC r310957,r310958,r310960:
  
  r310957:
  
  Use strlcpy when copying `com` to pdu->community to avoid potential
  buffer overruns
  
  CID:		1006823, 1006824
  
  r310958:
  
  Initialize ret to SNMPD_INPUT_OK at the top of snmp_input_start(..) to
  avoid returning an uninitialized value
  
  There are some really complicated, snakey if-statements combined with
  switch statements that could result in an invalid value being returned
  as `ret`
  
  CID:		1006551
  
  r310960:
  
  Similar to r310954, set .len to 0 on malloc failure and to `len` only
  on success

Modified:
  stable/11/contrib/bsnmp/snmpd/export.c
  stable/11/contrib/bsnmp/snmpd/main.c
  stable/11/contrib/bsnmp/snmpd/trap.c
Directory Properties:
  stable/11/   (props changed)

Modified: stable/11/contrib/bsnmp/snmpd/export.c
==============================================================================

--- stable/11/contrib/bsnmp/snmpd/export.c	Sat Jan  7 08:46:16 2017	(r311595)
+++ stable/11/contrib/bsnmp/snmpd/export.c	Sat Jan  7 08:47:27 2017	(r311596)
@@ -114,9 +114,11 @@ string_get(struct snmp_value *value, con
 	}
 	if (len == -1)
 		len = strlen(ptr);
-	value->v.octetstring.len = (u_long)len;
-	if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL)
+	if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) {
+		value->v.octetstring.len = 0;
 		return (SNMP_ERR_RES_UNAVAIL);
+	}
+	value->v.octetstring.len = (u_long)len;
 	memcpy(value->v.octetstring.octets, ptr, (size_t)len);
 	return (SNMP_ERR_NOERROR);
 }
@@ -138,9 +140,11 @@ string_get_max(struct snmp_value *value,
 		len = strlen(ptr);
 	if ((size_t)len > maxlen)
 		len = maxlen;
-	value->v.octetstring.len = (u_long)len;
-	if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL)
+	if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) {
+		value->v.octetstring.len = 0;
 		return (SNMP_ERR_RES_UNAVAIL);
+	}
+	value->v.octetstring.len = (u_long)len;
 	memcpy(value->v.octetstring.octets, ptr, (size_t)len);
 	return (SNMP_ERR_NOERROR);
 }

Modified: stable/11/contrib/bsnmp/snmpd/main.c
==============================================================================
--- stable/11/contrib/bsnmp/snmpd/main.c	Sat Jan  7 08:46:16 2017	(r311595)
+++ stable/11/contrib/bsnmp/snmpd/main.c	Sat Jan  7 08:47:27 2017	(r311596)
@@ -492,6 +492,8 @@ snmp_input_start(const u_char *buf, size
 	b.asn_cptr = buf;
 	b.asn_len = len;
 
+	ret = SNMPD_INPUT_OK;
+
 	/* look whether we have enough bytes for the entire PDU. */
 	switch (sret = snmp_pdu_snoop(&b)) {
 
@@ -520,8 +522,6 @@ snmp_input_start(const u_char *buf, size
 	}
 	code = snmp_pdu_decode_scoped(&b, pdu, ip);
 
-	ret = SNMPD_INPUT_OK;
-
 decoded:
 	snmpd_stats.inPkts++;
 

Modified: stable/11/contrib/bsnmp/snmpd/trap.c
==============================================================================
--- stable/11/contrib/bsnmp/snmpd/trap.c	Sat Jan  7 08:46:16 2017	(r311595)
+++ stable/11/contrib/bsnmp/snmpd/trap.c	Sat Jan  7 08:47:27 2017	(r311596)
@@ -422,7 +422,7 @@ snmp_create_v1_trap(struct snmp_pdu *pdu
     const struct asn_oid *trap_oid)
 {
 	memset(pdu, 0, sizeof(*pdu));
-	strcpy(pdu->community, com);
+	strlcpy(pdu->community, com, sizeof(pdu->community));
 
 	pdu->version = SNMP_V1;
 	pdu->type = SNMP_PDU_TRAP;
@@ -439,7 +439,7 @@ snmp_create_v2_trap(struct snmp_pdu *pdu
     const struct asn_oid *trap_oid)
 {
 	memset(pdu, 0, sizeof(*pdu));
-	strcpy(pdu->community, com);
+	strlcpy(pdu->community, com, sizeof(pdu->community));
 
 	pdu->version = SNMP_V2c;
 	pdu->type = SNMP_PDU_TRAP2;
