449351: When an invalid port number that exceeds 0x10000(65536) is specified by the snmpd and snmptrapd command, an improper port number is generated. Author: Jan Safranek <jsafrane@redhat.com> Check port specifiers. Inspired by upstream version of snmpUDPDomain.c (but rewritten to fit to old version of net-snmp). diff -up net-snmp-5.3.2.2/snmplib/snmpUDPDomain.c.port net-snmp-5.3.2.2/snmplib/snmpUDPDomain.c --- net-snmp-5.3.2.2/snmplib/snmpUDPDomain.c.port 2008-08-06 10:29:52.000000000 +0200 +++ net-snmp-5.3.2.2/snmplib/snmpUDPDomain.c 2008-08-06 10:29:55.000000000 +0200 @@ -823,9 +823,16 @@ netsnmp_sockaddr_in(struct sockaddr_in * *cp = '\0'; cp++; if (atoi(cp) != 0) { + int port = atoi(cp); DEBUGMSGTL(("netsnmp_sockaddr_in", - "port number suffix :%d\n", atoi(cp))); - addr->sin_port = htons((u_short)atoi(cp)); + "port number suffix :%d\n", port)); + if (port > 0 && port < 65536) { + addr->sin_port = htons((u_short)port); + } else { + snmp_log(LOG_WARNING, + "Invalid port number: %d, using default %d\n", + port, ntohs(addr->sin_port)); + } } } diff -up net-snmp-5.3.2.2/snmplib/snmpUDPIPv6Domain.c.port net-snmp-5.3.2.2/snmplib/snmpUDPIPv6Domain.c --- net-snmp-5.3.2.2/snmplib/snmpUDPIPv6Domain.c.port 2007-08-20 10:06:42.000000000 +0200 +++ net-snmp-5.3.2.2/snmplib/snmpUDPIPv6Domain.c 2008-08-06 10:29:57.000000000 +0200 @@ -390,9 +390,17 @@ netsnmp_sockaddr_in6(struct sockaddr_in6 /* * Okay, it looks like JUST a port number. */ + int port = atoi(peername); DEBUGMSGTL(("netsnmp_sockaddr_in6", "totally numeric: %d\n", - atoi(peername))); - addr->sin6_port = htons(atoi(peername)); + port)); + if (port > 0 && port < 65536) { + addr->sin6_port = htons(port); + } + else { + snmp_log(LOG_WARNING, + "Invalid port number: %d, using default %d\n", + port, ntohs(addr->sin6_port)); + } goto resolved; } @@ -426,10 +434,18 @@ netsnmp_sockaddr_in6(struct sockaddr_in6 if (atoi(cp + 2) != 0 && inet_pton(AF_INET6, peername + 1, (void *) &(addr->sin6_addr))) { + int port = atoi(cp + 2); DEBUGMSGTL(("netsnmp_sockaddr_in6", "IPv6 address with port suffix :%d\n", - atoi(cp + 2))); - addr->sin6_port = htons(atoi(cp + 2)); + port)); + if (port > 0 && port < 65536) { + addr->sin6_port = htons(port); + } + else { + snmp_log(LOG_WARNING, + "Invalid port number: %d, using default %d\n", + port, ntohs(addr->sin6_port)); + } #if defined(HAVE_IF_NAMETOINDEX) && defined(HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID) addr->sin6_scope_id = if_index; #endif @@ -476,10 +492,18 @@ netsnmp_sockaddr_in6(struct sockaddr_in6 if (atoi(cp + 1) != 0 && inet_pton(AF_INET6, peername, (void *) &(addr->sin6_addr))) { + int port = atoi(cp + 1); DEBUGMSGTL(("netsnmp_sockaddr_in6", "IPv6 address with port suffix :%d\n", - atoi(cp + 1))); - addr->sin6_port = htons(atoi(cp + 1)); + port)); + if (port > 0 && port < 65536) { + addr->sin6_port = htons(port); + } + else { + snmp_log(LOG_WARNING, + "Invalid port number: %d, using default %d\n", + port, ntohs(addr->sin6_port)); + } #if defined(HAVE_IF_NAMETOINDEX) && defined(HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID) addr->sin6_scope_id = if_index; #endif @@ -508,10 +532,18 @@ netsnmp_sockaddr_in6(struct sockaddr_in6 if (cp != NULL) { *cp = '\0'; if (atoi(cp + 1) != 0) { + int port = atoi(cp + 1); DEBUGMSGTL(("netsnmp_sockaddr_in6", "hostname(?) with port suffix :%d\n", - atoi(cp + 1))); - addr->sin6_port = htons(atoi(cp + 1)); + port)); + if (port > 0 && port < 65536) { + addr->sin6_port = htons(port); + } + else { + snmp_log(LOG_WARNING, + "Invalid port number: %d, using default %d\n", + port, ntohs(addr->sin6_port)); + } } else { /* * No idea, looks bogus but we might as well pass the full thing to