File net-snmp-5.4.2_audit.patch of Package net-snmp
Index: agent/mibgroup/examples/ucdDemoPublic.c
===================================================================
--- agent/mibgroup/examples/ucdDemoPublic.c.orig 2002-12-19 16:07:36.000000000 +0100
+++ agent/mibgroup/examples/ucdDemoPublic.c 2008-10-24 15:30:26.538387687 +0200
@@ -219,7 +219,11 @@ write_ucdDemoPublicString(int action,
}
if (action == COMMIT) {
if (var_val_len != 0) {
- strcpy(publicString, var_val);
+ strncpy(publicString, var_val, sizeof(publicString)-1);
+ /* XXX thomas: just some sanity checks */
+ if(strlen(var_val) > sizeof(publicString)-1 || strlen(var_val) != var_val_len)
+ publicString[sizeof(publicString)-1] = '\0';
+ else
publicString[var_val_len] = '\0';
} else
publicString[0] = '\0';
Index: agent/mibgroup/mibII/system_mib.c
===================================================================
--- agent/mibgroup/mibII/system_mib.c.orig 2006-09-15 02:48:50.000000000 +0200
+++ agent/mibgroup/mibII/system_mib.c 2008-10-24 15:30:26.550386000 +0200
@@ -126,7 +126,7 @@ system_parse_config_sysloc(const char *t
char tmpbuf[1024];
if (strlen(cptr) >= sizeof(sysLocation)) {
- snprintf(tmpbuf, 1024,
+ snprintf(tmpbuf, sizeof(tmpbuf),
"syslocation token too long (must be < %lu):\n\t%s",
(unsigned long)sizeof(sysLocation), cptr);
config_perror(tmpbuf);
@@ -173,7 +173,7 @@ system_parse_config_syscon(const char *t
char tmpbuf[1024];
if (strlen(cptr) >= sizeof(sysContact)) {
- snprintf(tmpbuf, 1024,
+ snprintf(tmpbuf, sizeof(tmpbuf),
"syscontact token too long (must be < %lu):\n\t%s",
(unsigned long)sizeof(sysContact), cptr);
config_perror(tmpbuf);
@@ -220,7 +220,7 @@ system_parse_config_sysname(const char *
char tmpbuf[1024];
if (strlen(cptr) >= sizeof(sysName)) {
- snprintf(tmpbuf, 1024,
+ snprintf(tmpbuf, sizeof(tmpbuf),
"sysname token too long (must be < %lu):\n\t%s",
(unsigned long)sizeof(sysName), cptr);
config_perror(tmpbuf);
Index: agent/mibgroup/mibII/var_route.c
===================================================================
--- agent/mibgroup/mibII/var_route.c.orig 2008-07-28 16:39:55.000000000 +0200
+++ agent/mibgroup/mibII/var_route.c 2008-10-24 15:30:26.582385351 +0200
@@ -1381,7 +1381,7 @@ Route_Scan_Reload(void)
/*
* Sort it!
*/
- qsort((char *) rthead, rtsize, sizeof(rthead[0]), qsort_compare);
+ qsort((char *) rthead, rtsize, sizeof(rthead[0]), (int (*) (const void*, const void*)) qsort_compare);
}
#endif
#endif
Index: agent/mibgroup/util_funcs.c
===================================================================
--- agent/mibgroup/util_funcs.c.orig 2007-08-16 16:12:47.000000000 +0200
+++ agent/mibgroup/util_funcs.c 2008-10-24 15:30:26.598384777 +0200
@@ -140,6 +140,10 @@ make_tempfile(void)
}
#endif
if (fd >= 0) {
+ if(fchmod(fd, 0600) != 0) {
+ close(fd);
+ return NULL;
+ }
close(fd);
DEBUGMSGTL(("make_tempfile", "temp file created: %s\n", name));
return name;
Index: agent/auto_nlist.c
===================================================================
--- agent/auto_nlist.c.orig 2008-06-05 23:11:53.000000000 +0200
+++ agent/auto_nlist.c 2008-10-24 15:30:26.630385059 +0200
@@ -64,6 +64,7 @@ auto_nlist_value(const char *string)
it->nl[0].n_name = (char *) malloc(strlen(string) + 2);
#if defined(aix4) || defined(aix5) || defined(aix6)
strcpy(it->nl[0].n_name, string);
+ it->nl[0].n_name[strlen(string)+1] = '\0';
#else
sprintf(it->nl[0].n_name, "_%s", string);
#endif
@@ -72,6 +73,7 @@ auto_nlist_value(const char *string)
#if !(defined(aix4) || defined(aix5) || defined(aix6))
if (it->nl[0].n_type == 0) {
strcpy(it->nl[0].n_name, string);
+ it->nl[0].n_name[strlen(string)+1] = '\0';
init_nlist(it->nl);
}
#endif
Index: apps/snmptest.c
===================================================================
--- apps/snmptest.c.orig 2008-05-29 11:59:06.000000000 +0200
+++ apps/snmptest.c 2008-10-24 15:30:26.650386319 +0200
@@ -456,6 +456,7 @@ input_variable(netsnmp_variable_list * v
goto getValue;
}
memcpy(vp->val.string, buf, strlen(buf) - 1);
+ vp->val.string[sizeof(vp->val.string)-1] = 0;
vp->val_len = strlen(buf) - 1;
} else if (ch == 'x') {
size_t buf_len = 256;
Index: apps/snmptrapd_handlers.c
===================================================================
--- apps/snmptrapd_handlers.c.orig 2007-06-08 12:44:37.000000000 +0200
+++ apps/snmptrapd_handlers.c 2008-10-24 15:30:26.682736940 +0200
@@ -24,6 +24,9 @@
#include <sys/wait.h>
#endif
+#include <sys/stat.h>
+#include <fcntl.h>
+
#include <net-snmp/config_api.h>
#include <net-snmp/output_api.h>
#include <net-snmp/mib_api.h>
@@ -863,10 +866,11 @@ do_external(char *cmd, struct hostent *h
#else
char command_buf[128];
char file_buf[L_tmpnam];
+ int win_fd;
tmpnam(file_buf);
- file = fopen(file_buf, "w");
- if (!file) {
+ win_fd = open(file_buf, O_RDWR | O_CREAT | O_EXCL, 0600);
+ if (win_fd < 0 || (file = fdopen(win_fd, "w")) == NULL)
fprintf(stderr, "fopen: %s: %s\n", file_buf, strerror(errno));
} else {
send_handler_data(file, host, pdu, transport);
Index: snmplib/parse.c
===================================================================
--- snmplib/parse.c.orig 2008-04-07 16:00:44.000000000 +0200
+++ snmplib/parse.c 2008-10-24 15:30:26.706385615 +0200
@@ -4191,7 +4191,7 @@ static struct node *
parse(FILE * fp, struct node *root)
{
char token[MAXTOKEN];
- char name[MAXTOKEN];
+ char name[MAXTOKEN+1];
int type = LABEL;
int lasttype = LABEL;
@@ -4283,7 +4283,8 @@ parse(FILE * fp, struct node *root)
case ENDOFFILE:
continue;
default:
- strcpy(name, token);
+ strncpy(name, token, sizeof(name));
+ name[sizeof(name)-1] = '\0';
type = get_token(fp, token, MAXTOKEN);
nnp = NULL;
if (type == MACRO) {
@@ -4300,7 +4301,8 @@ parse(FILE * fp, struct node *root)
print_error(name, "is a reserved word", lasttype);
continue; /* see if we can parse the rest of the file */
}
- strcpy(name, token);
+ strncpy(name, token, sizeof(name));
+ name[sizeof(name)-1] = '\0';
type = get_token(fp, token, MAXTOKEN);
nnp = NULL;
Index: snmplib/tools.c
===================================================================
--- snmplib/tools.c.orig 2007-02-21 14:58:27.000000000 +0100
+++ snmplib/tools.c 2008-10-24 15:30:26.750385578 +0200
@@ -696,7 +696,7 @@ dump_snmpEngineID(const u_char * estring
/*
* s += snprintf(s, remaining_len+3, "\"%s\"", esp);
*/
- s += sprintf(s, "\"%s\"", esp);
+ s += sprintf(s, "\"%.*s\"", sizeof(buf)-strlen(buf)-3, esp);
goto dump_snmpEngineID_quit;
break;
/*NOTREACHED*/ case 5: /* Octets. */
Index: testing/TESTCONF.sh
===================================================================
--- testing/TESTCONF.sh.orig 2006-08-07 17:34:16.000000000 +0200
+++ testing/TESTCONF.sh 2008-10-24 15:30:26.774385440 +0200
@@ -77,8 +77,8 @@ if [ "x$SNMP_TMPDIR" = "x" -a "x$SNMP_HE
fi
SNMP_TMP_PERSISTENTDIR=$SNMP_TMPDIR/persist
export SNMP_TMP_PERSISTENTDIR
- mkdir $SNMP_TMPDIR
- mkdir $SNMP_TMP_PERSISTENTDIR
+ mkdir -m 0700 $SNMP_TMPDIR
+ mkdir -m 0700 $SNMP_TMP_PERSISTENTDIR
fi
if [ "x$SNMP_SAVE_TMPDIR" = "x" ]; then
Index: testing/eval_suite.sh
===================================================================
--- testing/eval_suite.sh.orig 2002-04-20 09:30:29.000000000 +0200
+++ testing/eval_suite.sh 2008-10-24 15:30:26.798384612 +0200
@@ -79,7 +79,11 @@ exit 0
PROGRAM=
ARGUMENTS="$*"
-TMPFILE=/tmp/eval_suite.sh$$
+umask 0077 # just to be on the save side
+TMPDIR=/tmp/ucd-snmpd-eval-dir.$$
+/bin/rm -rf $TMPDIR
+/bin/mkdir -m 0700 $TMPDIR || exit -1
+TMPFILE=$TMPDIR/eval_suite.sh$$
TESTLISTFILE=eval_testlist
@@ -205,6 +209,7 @@ done # endwhile
# Cleanup, exit.
#
rm -f $TMPFILE
+rm -rf $TMPDIR
exit $TESTFAILURE
