svn commit: r350646 - in releng: 11.2/contrib/bsnmp/lib 11.3/contrib/bsnmp/lib 12.0/contrib/bsnmp/lib

Gordon Tetlow gordon at FreeBSD.org
Tue Aug 6 17:12:18 UTC 2019 

Author: gordon
Date: Tue Aug  6 17:12:17 2019
New Revision: 350646
URL: https://svnweb.freebsd.org/changeset/base/350646

Log:
  Fix insufficient message length validation in bsnmp library.
  
  Approved by:	so
  Security:	FreeBSD-SA-19:20.bsnmp
  Security:	CVE-2019-5610

Modified:
  releng/11.2/contrib/bsnmp/lib/asn1.c
  releng/11.3/contrib/bsnmp/lib/asn1.c
  releng/12.0/contrib/bsnmp/lib/asn1.c

Modified: releng/11.2/contrib/bsnmp/lib/asn1.c
==============================================================================
--- releng/11.2/contrib/bsnmp/lib/asn1.c	Tue Aug  6 17:11:30 2019	(r350645)
+++ releng/11.2/contrib/bsnmp/lib/asn1.c	Tue Aug  6 17:12:17 2019	(r350646)
@@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, asn_le
 		*len = *b->asn_cptr++;
 		b->asn_len--;
 	}
+	if (*len > b->asn_len) {
+		asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len);
+		return (ASN_ERR_EOBUF);
+	}
+	
 	return (ASN_ERR_OK);
 }
 

Modified: releng/11.3/contrib/bsnmp/lib/asn1.c
==============================================================================
--- releng/11.3/contrib/bsnmp/lib/asn1.c	Tue Aug  6 17:11:30 2019	(r350645)
+++ releng/11.3/contrib/bsnmp/lib/asn1.c	Tue Aug  6 17:12:17 2019	(r350646)
@@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, asn_le
 		*len = *b->asn_cptr++;
 		b->asn_len--;
 	}
+	if (*len > b->asn_len) {
+		asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len);
+		return (ASN_ERR_EOBUF);
+	}
+	
 	return (ASN_ERR_OK);
 }
 

Modified: releng/12.0/contrib/bsnmp/lib/asn1.c
==============================================================================
--- releng/12.0/contrib/bsnmp/lib/asn1.c	Tue Aug  6 17:11:30 2019	(r350645)
+++ releng/12.0/contrib/bsnmp/lib/asn1.c	Tue Aug  6 17:12:17 2019	(r350646)
@@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, asn_le
 		*len = *b->asn_cptr++;
 		b->asn_len--;
 	}
+	if (*len > b->asn_len) {
+		asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len);
+		return (ASN_ERR_EOBUF);
+	}
+	
 	return (ASN_ERR_OK);
 }

More information about the svn-src-all mailing list