diff options
| author | ngie <ngie@FreeBSD.org> | 2017-01-07 08:47:27 +0000 |
|---|---|---|
| committer | ngie <ngie@FreeBSD.org> | 2017-01-07 08:47:27 +0000 |
| commit | e7482bc1d4714d175bbbf7b05a49997db377de97 (patch) | |
| tree | 7fdfc50760ab55ce080f5e81debc703bdfa9ac6a | |
| parent | 2cb44498088056d38bb9e7c7ca5ae817b650d87d (diff) | |
| download | FreeBSD-src-e7482bc1d4714d175bbbf7b05a49997db377de97.zip FreeBSD-src-e7482bc1d4714d175bbbf7b05a49997db377de97.tar.gz | |
MFC r310957,r310958,r310960:
r310957:
Use strlcpy when copying `com` to pdu->community to avoid potential
buffer overruns
CID: 1006823, 1006824
r310958:
Initialize ret to SNMPD_INPUT_OK at the top of snmp_input_start(..) to
avoid returning an uninitialized value
There are some really complicated, snakey if-statements combined with
switch statements that could result in an invalid value being returned
as `ret`
CID: 1006551
r310960:
Similar to r310954, set .len to 0 on malloc failure and to `len` only
on success
| -rw-r--r-- | contrib/bsnmp/snmpd/export.c | 12 | ||||
| -rw-r--r-- | contrib/bsnmp/snmpd/main.c | 4 | ||||
| -rw-r--r-- | contrib/bsnmp/snmpd/trap.c | 4 |
3 files changed, 12 insertions, 8 deletions
diff --git a/contrib/bsnmp/snmpd/export.c b/contrib/bsnmp/snmpd/export.c index f394db0..3135606 100644 --- a/contrib/bsnmp/snmpd/export.c +++ b/contrib/bsnmp/snmpd/export.c @@ -114,9 +114,11 @@ string_get(struct snmp_value *value, const u_char *ptr, ssize_t len) } if (len == -1) len = strlen(ptr); - value->v.octetstring.len = (u_long)len; - if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) + if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) { + value->v.octetstring.len = 0; return (SNMP_ERR_RES_UNAVAIL); + } + value->v.octetstring.len = (u_long)len; memcpy(value->v.octetstring.octets, ptr, (size_t)len); return (SNMP_ERR_NOERROR); } @@ -138,9 +140,11 @@ string_get_max(struct snmp_value *value, const u_char *ptr, ssize_t len, len = strlen(ptr); if ((size_t)len > maxlen) len = maxlen; - value->v.octetstring.len = (u_long)len; - if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) + if ((value->v.octetstring.octets = malloc((size_t)len)) == NULL) { + value->v.octetstring.len = 0; return (SNMP_ERR_RES_UNAVAIL); + } + value->v.octetstring.len = (u_long)len; memcpy(value->v.octetstring.octets, ptr, (size_t)len); return (SNMP_ERR_NOERROR); } diff --git a/contrib/bsnmp/snmpd/main.c b/contrib/bsnmp/snmpd/main.c index 8ba78f8..2ab8bbd 100644 --- a/contrib/bsnmp/snmpd/main.c +++ b/contrib/bsnmp/snmpd/main.c @@ -492,6 +492,8 @@ snmp_input_start(const u_char *buf, size_t len, const char *source, b.asn_cptr = buf; b.asn_len = len; + ret = SNMPD_INPUT_OK; + /* look whether we have enough bytes for the entire PDU. */ switch (sret = snmp_pdu_snoop(&b)) { @@ -520,8 +522,6 @@ snmp_input_start(const u_char *buf, size_t len, const char *source, } code = snmp_pdu_decode_scoped(&b, pdu, ip); - ret = SNMPD_INPUT_OK; - decoded: snmpd_stats.inPkts++; diff --git a/contrib/bsnmp/snmpd/trap.c b/contrib/bsnmp/snmpd/trap.c index cead6b5..30ff293 100644 --- a/contrib/bsnmp/snmpd/trap.c +++ b/contrib/bsnmp/snmpd/trap.c @@ -422,7 +422,7 @@ snmp_create_v1_trap(struct snmp_pdu *pdu, char *com, const struct asn_oid *trap_oid) { memset(pdu, 0, sizeof(*pdu)); - strcpy(pdu->community, com); + strlcpy(pdu->community, com, sizeof(pdu->community)); pdu->version = SNMP_V1; pdu->type = SNMP_PDU_TRAP; @@ -439,7 +439,7 @@ snmp_create_v2_trap(struct snmp_pdu *pdu, char *com, const struct asn_oid *trap_oid) { memset(pdu, 0, sizeof(*pdu)); - strcpy(pdu->community, com); + strlcpy(pdu->community, com, sizeof(pdu->community)); pdu->version = SNMP_V2c; pdu->type = SNMP_PDU_TRAP2; |
