|
|
@@ -0,0 +1,52 @@
|
|
|
+From 0d89165ee6da10e6fa50c44998b3cd16d59400e9 Mon Sep 17 00:00:00 2001
|
|
|
+From: Alex Rousskov <rousskov@measurement-factory.com>
|
|
|
+Date: Sat, 30 Aug 2025 06:49:36 +0000
|
|
|
+Subject: [PATCH] Fix ASN.1 encoding of long SNMP OIDs (#2149)
|
|
|
+
|
|
|
+Upstream: https://github.com/squid-cache/squid/commit/250a18e0a80694b919972a1836cdfe20f2e1baa0
|
|
|
+CVE: CVE-2025-59362
|
|
|
+Signed-off-by: Thomas Perale <thomas.perale@mind.be>
|
|
|
+---
|
|
|
+ lib/snmplib/asn1.c | 13 +++++++++++++
|
|
|
+ 1 file changed, 13 insertions(+)
|
|
|
+
|
|
|
+diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c
|
|
|
+index 81f2051fbe7..2852c26b220 100644
|
|
|
+--- a/lib/snmplib/asn1.c
|
|
|
++++ b/lib/snmplib/asn1.c
|
|
|
+@@ -735,6 +735,7 @@ asn_build_objid(u_char * data, int *datalength,
|
|
|
+ * lastbyte ::= 0 7bitvalue
|
|
|
+ */
|
|
|
+ u_char buf[MAX_OID_LEN];
|
|
|
++ u_char *bufEnd = buf + sizeof(buf);
|
|
|
+ u_char *bp = buf;
|
|
|
+ oid *op = objid;
|
|
|
+ int asnlength;
|
|
|
+@@ -753,6 +754,10 @@ asn_build_objid(u_char * data, int *datalength,
|
|
|
+ while (objidlength-- > 0) {
|
|
|
+ subid = *op++;
|
|
|
+ if (subid < 127) { /* off by one? */
|
|
|
++ if (bp >= bufEnd) {
|
|
|
++ snmp_set_api_error(SNMPERR_ASN_ENCODE);
|
|
|
++ return (NULL);
|
|
|
++ }
|
|
|
+ *bp++ = subid;
|
|
|
+ } else {
|
|
|
+ mask = 0x7F; /* handle subid == 0 case */
|
|
|
+@@ -770,8 +775,16 @@ asn_build_objid(u_char * data, int *datalength,
|
|
|
+ /* fix a mask that got truncated above */
|
|
|
+ if (mask == 0x1E00000)
|
|
|
+ mask = 0xFE00000;
|
|
|
++ if (bp >= bufEnd) {
|
|
|
++ snmp_set_api_error(SNMPERR_ASN_ENCODE);
|
|
|
++ return (NULL);
|
|
|
++ }
|
|
|
+ *bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8);
|
|
|
+ }
|
|
|
++ if (bp >= bufEnd) {
|
|
|
++ snmp_set_api_error(SNMPERR_ASN_ENCODE);
|
|
|
++ return (NULL);
|
|
|
++ }
|
|
|
+ *bp++ = (u_char) (subid & mask);
|
|
|
+ }
|
|
|
+ }
|
Thomas Perale