1From 4589352dac3ae111c7621298cf231742209efd9b Mon Sep 17 00:00:00 2001
2From: Bill Fenner <fenner@gmail.com>
3Date: Fri, 25 Nov 2022 08:41:24 -0800
4Subject: [PATCH ] snmp_agent: disallow SET with NULL varbind
5
6Upstream-Status: Backport [https://github.com/net-snmp/net-snmp/commit/be804106fd0771a7d05236cff36e199af077af57]
7CVE: CVE-2022-44792 & CVE-2022-44793
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 agent/snmp_agent.c                            | 32 +++++++++++++++++++
11 apps/snmpset.c                                |  1 +
12 .../default/T0142snmpv2csetnull_simple        | 31 ++++++++++++++++++
13 3 files changed, 64 insertions(+)
14 create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple
15
16diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
17index 3376357..f51c252 100644
18--- a/agent/snmp_agent.c
19+++ b/agent/snmp_agent.c
20@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
21     return 1;
22 }
23
24+static int
25+check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
26+{
27+    int i;
28+    netsnmp_variable_list *v = NULL;
29+
30+    for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
31+	if (v->type == ASN_NULL) {
32+	    /*
33+	     * Protect SET implementations that do not protect themselves
34+	     * against wrong type.
35+	     */
36+	    DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
37+	    asp->index = i;
38+	    return SNMP_ERR_WRONGTYPE;
39+	}
40+    }
41+    return SNMP_ERR_NOERROR;
42+}
43+
44 int
45 handle_pdu(netsnmp_agent_session *asp)
46 {
47     int             status, inclusives = 0;
48     netsnmp_variable_list *v = NULL;
49
50+#ifndef NETSNMP_NO_WRITE_SUPPORT
51+    /*
52+     * Check for ASN_NULL in SET request
53+     */
54+    if (asp->pdu->command == SNMP_MSG_SET) {
55+	status = check_set_pdu_for_null_varbind(asp);
56+	if (status != SNMP_ERR_NOERROR) {
57+	    return status;
58+	}
59+    }
60+#endif /* NETSNMP_NO_WRITE_SUPPORT */
61+
62     /*
63      * for illegal requests, mark all nodes as ASN_NULL
64      */
65diff --git a/apps/snmpset.c b/apps/snmpset.c
66index 50f33db..387a51d 100644
67--- a/apps/snmpset.c
68+++ b/apps/snmpset.c
69@@ -182,6 +182,7 @@ main(int argc, char *argv[])
70             case 'x':
71             case 'd':
72             case 'b':
73+            case 'n': /* undocumented */
74 #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
75             case 'I':
76             case 'U':
77diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple
78new file mode 100644
79index 0000000..0f1b8f3
80--- /dev/null
81+++ b/testing/fulltests/default/T0142snmpv2csetnull_simple
82@@ -0,0 +1,31 @@
83+#!/bin/sh
84+
85+. ../support/simple_eval_tools.sh
86+
87+HEADER SNMPv2c set of system.sysContact.0 with NULL varbind
88+
89+SKIPIF NETSNMP_DISABLE_SET_SUPPORT
90+SKIPIF NETSNMP_NO_WRITE_SUPPORT
91+SKIPIF NETSNMP_DISABLE_SNMPV2C
92+SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE
93+
94+#
95+# Begin test
96+#
97+
98+# standard V2C configuration: testcomunnity
99+snmp_write_access='all'
100+. ./Sv2cconfig
101+STARTAGENT
102+
103+CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0"
104+
105+CHECK ".1.3.6.1.2.1.1.4.0 = STRING:"
106+
107+CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x"
108+
109+CHECK "Reason: wrongType"
110+
111+STOPAGENT
112+
113+FINISHED
114--
1152.25.1
116
117