net-snmp: Security fix CVE-2019-20892

Source: net-snmp.org MR: 104509 Type: Security Fix Disposition: Backport from 5f881d3bf2 ChangeID: 206d822029d48d904864f23fd1b1af69dffc26c8 Description: Fixes CVE-2019-20892 which affect net-snmp <= 5.8pre1 Had to fix up some file do to later code restructioning. "int refcnt;" addition was done in include/net-snmp/library/snmpusm.h Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit 96a63b1ecf) Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-01-04 16:10:10 +00:00 · 2020-06-26 16:14:10 -07:00 · 2020-06-26 16:14:10 -07:00 · b2acef6703
commit b2acef6703
parent 1d5fe0c17d
2 changed files with 119 additions and 0 deletions
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp/CVE-2019-20892.patch
@ -0,0 +1,118 @@
+From 5f881d3bf24599b90d67a45cae7a3eb099cd71c9 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sat, 27 Jul 2019 19:34:09 -0700
+Subject: [PATCH] libsnmp, USM: Introduce a reference count in struct
+ usmStateReference
+
+This patch fixes https://sourceforge.net/p/net-snmp/bugs/2956/.
+
+Upstream-Status: Backport
+[ak: fixup for 5.8 context, changes to library/snmpusm.h]
+CVE:CVE-2019-20892
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ snmplib/snmp_client.c | 22 +++----------
+ snmplib/snmpusm.c     | 73 ++++++++++++++++++++++++++++---------------
+ 2 files changed, 53 insertions(+), 42 deletions(-)
+
+Index: net-snmp-5.8/snmplib/snmpusm.c
+===================================================================
+--- net-snmp-5.8.orig/snmplib/snmpusm.c
+++ net-snmp-5.8/snmplib/snmpusm.c
+@@ -285,12 +285,35 @@ free_enginetime_on_shutdown(int majorid,
+ struct usmStateReference *
+ usm_malloc_usmStateReference(void)
+ {
+-    struct usmStateReference *retval = (struct usmStateReference *)
+-        calloc(1, sizeof(struct usmStateReference));
+   struct usmStateReference *retval;
+ 
+    retval = calloc(1, sizeof(struct usmStateReference));
+    if (retval)
+        retval->refcnt = 1;
+     return retval;
+ }                               /* end usm_malloc_usmStateReference() */
+ 
+static int
+usm_clone(netsnmp_pdu *pdu, netsnmp_pdu *new_pdu)
+{
+    struct usmStateReference *ref = pdu->securityStateRef;
+    struct usmStateReference **new_ref =
+        (struct usmStateReference **)&new_pdu->securityStateRef;
+    int ret = 0;
+
+    if (!ref)
+        return ret;
+
+    if (pdu->command == SNMP_MSG_TRAP2) {
+        netsnmp_assert(pdu->securityModel == SNMP_DEFAULT_SECMODEL);
+        ret = usm_clone_usmStateReference(ref, new_ref);
+    } else {
+        netsnmp_assert(ref == *new_ref);
+        ref->refcnt++;
+    }
+
+    return ret;
+}
+ 
+ void
+ usm_free_usmStateReference(void *old)
+@@ -3345,6 +3368,7 @@ init_usm(void)
+     def->encode_reverse = usm_secmod_rgenerate_out_msg;
+     def->encode_forward = usm_secmod_generate_out_msg;
+     def->decode = usm_secmod_process_in_msg;
+    def->pdu_clone = usm_clone;
+     def->pdu_free_state_ref = usm_free_usmStateReference;
+     def->session_setup = usm_session_init;
+     def->handle_report = usm_handle_report;
+Index: net-snmp-5.8/snmplib/snmp_client.c
+===================================================================
+--- net-snmp-5.8.orig/snmplib/snmp_client.c
+++ net-snmp-5.8/snmplib/snmp_client.c
+@@ -402,27 +402,15 @@ _clone_pdu_header(netsnmp_pdu *pdu)
+         return NULL;
+     }
+ 
+-    if (pdu->securityStateRef &&
+-        pdu->command == SNMP_MSG_TRAP2) {
+-
+-        ret = usm_clone_usmStateReference((struct usmStateReference *) pdu->securityStateRef,
+-                (struct usmStateReference **) &newpdu->securityStateRef );
+-
+-        if (ret)
+-        {
+    sptr = find_sec_mod(newpdu->securityModel);
+    if (sptr && sptr->pdu_clone) {
+        /* call security model if it needs to know about this */
+        ret = sptr->pdu_clone(pdu, newpdu);
+        if (ret) {
+             snmp_free_pdu(newpdu);
+             return NULL;
+         }
+     }
+-
+-    if ((sptr = find_sec_mod(newpdu->securityModel)) != NULL &&
+-        sptr->pdu_clone != NULL) {
+-        /*
+-         * call security model if it needs to know about this 
+-         */
+-        (*sptr->pdu_clone) (pdu, newpdu);
+-    }
+-
+     return newpdu;
+ }
+ 
+Index: net-snmp-5.8/include/net-snmp/library/snmpusm.h
+===================================================================
+--- net-snmp-5.8.orig/include/net-snmp/library/snmpusm.h
+++ net-snmp-5.8/include/net-snmp/library/snmpusm.h
+@@ -43,6 +43,7 @@ extern          "C" {
+      * Structures.
+      */
+     struct usmStateReference {
+        int             refcnt;
+         char           *usr_name;
+         size_t          usr_name_length;
+         u_char         *usr_engine_id;
--- a/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
+++ b/meta-networking/recipes-protocols/net-snmp/net-snmp_5.8.bb
@ -28,6 +28,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/net-snmp/net-snmp-${PV}.tar.gz \
           file://reproducibility-accept-configure-options-from-env.patch \
           file://0001-net-snmp-fix-compile-error-disable-des.patch \
           file://0001-Add-pkg-config-support-for-building-applications-and.patch \
+           file://CVE-2019-20892.patch \
           "
 SRC_URI[md5sum] = "63bfc65fbb86cdb616598df1aff6458a"
 SRC_URI[sha256sum] = "b2fc3500840ebe532734c4786b0da4ef0a5f67e51ef4c86b3345d697e4976adf"