svn commit: r350646 - in releng: 11.2/contrib/bsnmp/lib 11.3/contrib/bsnmp/lib 12.0/contrib/bsnmp/lib
Gordon Tetlow
gordon at FreeBSD.org
Tue Aug 6 17:12:18 UTC 2019
Author: gordon
Date: Tue Aug 6 17:12:17 2019
New Revision: 350646
URL: https://svnweb.freebsd.org/changeset/base/350646
Log:
Fix insufficient message length validation in bsnmp library.
Approved by: so
Security: FreeBSD-SA-19:20.bsnmp
Security: CVE-2019-5610
Modified:
releng/11.2/contrib/bsnmp/lib/asn1.c
releng/11.3/contrib/bsnmp/lib/asn1.c
releng/12.0/contrib/bsnmp/lib/asn1.c
Modified: releng/11.2/contrib/bsnmp/lib/asn1.c
==============================================================================
--- releng/11.2/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:11:30 2019 (r350645)
+++ releng/11.2/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:12:17 2019 (r350646)
@@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, asn_le
*len = *b->asn_cptr++;
b->asn_len--;
}
+ if (*len > b->asn_len) {
+ asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len);
+ return (ASN_ERR_EOBUF);
+ }
+
return (ASN_ERR_OK);
}
Modified: releng/11.3/contrib/bsnmp/lib/asn1.c
==============================================================================
--- releng/11.3/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:11:30 2019 (r350645)
+++ releng/11.3/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:12:17 2019 (r350646)
@@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, asn_le
*len = *b->asn_cptr++;
b->asn_len--;
}
+ if (*len > b->asn_len) {
+ asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len);
+ return (ASN_ERR_EOBUF);
+ }
+
return (ASN_ERR_OK);
}
Modified: releng/12.0/contrib/bsnmp/lib/asn1.c
==============================================================================
--- releng/12.0/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:11:30 2019 (r350645)
+++ releng/12.0/contrib/bsnmp/lib/asn1.c Tue Aug 6 17:12:17 2019 (r350646)
@@ -100,6 +100,11 @@ asn_get_header(struct asn_buf *b, u_char *type, asn_le
*len = *b->asn_cptr++;
b->asn_len--;
}
+ if (*len > b->asn_len) {
+ asn_error(b, "len %u exceeding asn_len %u", *len, b->asn_len);
+ return (ASN_ERR_EOBUF);
+ }
+
return (ASN_ERR_OK);
}
More information about the svn-src-all
mailing list