From 55302f3420aff66fbab34813e8fc0670660474bf Mon Sep 17 00:00:00 2001 From: ngie Date: Sat, 7 Jan 2017 08:48:51 +0000 Subject: [PATCH] MFC r310957,r310958,r310960: r310957: Use strlcpy when copying `com` to pdu->community to avoid potential buffer overruns CID: 1006823, 1006824 r310958: Initialize ret to SNMPD_INPUT_OK at the top of snmp_input_start(..) to avoid returning an uninitialized value There are some really complicated, snakey if-statements combined with switch statements that could result in an invalid value being returned as `ret` CID: 1006551 r310960: Similar to r310954, set .len to 0 on malloc failure and to `len` only on success git-svn-id: svn://svn.freebsd.org/base/stable/10@311597 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- contrib/bsnmp/snmpd/export.c | 12 ++++++++---- contrib/bsnmp/snmpd/main.c | 4 ++-- contrib/bsnmp/snmpd/trap.c | 4 ++-- 3 files changed, 12 insertions(+), 8 deletions(-) diff --git a/contrib/bsnmp/snmpd/export.c b/contrib/bsnmp/snmpd/export.c index f394db00d..313560658 100644 --- a/contrib/bsnmp/snmpd/export.c +++ b/contrib/bsnmp/snmpd/export.c @@ -114,9 +114,11 @@ string_get(struct snmp_value *value, const u_char *ptr, ssize_t len) } if (len == -1) len = strlen(ptr); - value->v.octetstring.len = (u_long)len; - if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) + if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) { + value->v.octetstring.len = 0; return (SNMP_ERR_RES_UNAVAIL); + } + value->v.octetstring.len = (u_long)len; memcpy(value->v.octetstring.octets, ptr, (size_t)len); return (SNMP_ERR_NOERROR); } @@ -138,9 +140,11 @@ string_get_max(struct snmp_value *value, const u_char *ptr, ssize_t len, len = strlen(ptr); if ((size_t)len > maxlen) len = maxlen; - value->v.octetstring.len = (u_long)len; - if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) + if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) { + value->v.octetstring.len = 0; return (SNMP_ERR_RES_UNAVAIL); + } + value->v.octetstring.len = (u_long)len; memcpy(value->v.octetstring.octets, ptr, (size_t)len); return (SNMP_ERR_NOERROR); } diff --git a/contrib/bsnmp/snmpd/main.c b/contrib/bsnmp/snmpd/main.c index 8ba78f853..2ab8bbdc6 100644 --- a/contrib/bsnmp/snmpd/main.c +++ b/contrib/bsnmp/snmpd/main.c @@ -492,6 +492,8 @@ snmp_input_start(const u_char *buf, size_t len, const char *source, b.asn_cptr = buf; b.asn_len = len; + ret = SNMPD_INPUT_OK; + /* look whether we have enough bytes for the entire PDU. */ switch (sret = snmp_pdu_snoop(&b)) { @@ -520,8 +522,6 @@ snmp_input_start(const u_char *buf, size_t len, const char *source, } code = snmp_pdu_decode_scoped(&b, pdu, ip); - ret = SNMPD_INPUT_OK; - decoded: snmpd_stats.inPkts++; diff --git a/contrib/bsnmp/snmpd/trap.c b/contrib/bsnmp/snmpd/trap.c index cead6b5af..30ff29304 100644 --- a/contrib/bsnmp/snmpd/trap.c +++ b/contrib/bsnmp/snmpd/trap.c @@ -422,7 +422,7 @@ snmp_create_v1_trap(struct snmp_pdu *pdu, char *com, const struct asn_oid *trap_oid) { memset(pdu, 0, sizeof(*pdu)); - strcpy(pdu->community, com); + strlcpy(pdu->community, com, sizeof(pdu->community)); pdu->version = SNMP_V1; pdu->type = SNMP_PDU_TRAP; @@ -439,7 +439,7 @@ snmp_create_v2_trap(struct snmp_pdu *pdu, char *com, const struct asn_oid *trap_oid) { memset(pdu, 0, sizeof(*pdu)); - strcpy(pdu->community, com); + strlcpy(pdu->community, com, sizeof(pdu->community)); pdu->version = SNMP_V2c; pdu->type = SNMP_PDU_TRAP2; -- 2.45.0