!80 [sync] PR-76: Sync upstream patches to fix Buffer overflow

From: @openeuler-sync-bot 
Reviewed-by: @jiangheng12 
Signed-off-by: @jiangheng12

backport-0001-CVE-2022-24805-24806-24807-24808-24809-24810.patch

@@ -0,0 +1,131 @@
+From 67ebb43e9038b2dae6e74ae8838b36fcc10fc937 Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Wed, 30 Jun 2021 14:00:28 -0700
+Subject: [PATCH] CHANGES: snmpd: fix bounds checking in NET-SNMP-AGENT-MIB,
+ NET-SNMP-VACM-MIB, SNMP-VIEW-BASED-ACM-MIB, SNMP-USER-BASED-SM-MIB
+
+Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE
+Fixes by: Arista Networks
+---
+ agent/mibgroup/agent/nsLogging.c         |  6 ++++++
+ agent/mibgroup/agent/nsVacmAccessTable.c | 16 ++++++++++++++--
+ agent/mibgroup/mibII/vacm_vars.c         |  3 +++
+ agent/mibgroup/snmpv3/usmUser.c          |  2 --
+ 4 files changed, 23 insertions(+), 4 deletions(-)
+
+diff --git a/agent/mibgroup/agent/nsLogging.c b/agent/mibgroup/agent/nsLogging.c
+index 9abdeb5bb7..7f4290490a 100644
+--- a/agent/mibgroup/agent/nsLogging.c
++++ b/agent/mibgroup/agent/nsLogging.c
+@@ -147,6 +147,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
+                 continue;
+             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+             table_info  =                netsnmp_extract_table_info(request);
++            if (!table_info || !table_info->indexes)
++                continue;
+ 
+             switch (table_info->colnum) {
+             case NSLOGGING_TYPE:
+@@ -201,6 +203,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
+             }
+             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+             table_info  =                 netsnmp_extract_table_info(request);
++            if (!table_info || !table_info->indexes)
++                continue;
+ 
+             switch (table_info->colnum) {
+             case NSLOGGING_TYPE:
+@@ -394,6 +398,8 @@ handle_nsLoggingTable(netsnmp_mib_handler *handler,
+                 continue;
+             logh = (netsnmp_log_handler*)netsnmp_extract_iterator_context(request);
+             table_info  =                 netsnmp_extract_table_info(request);
++            if (!table_info || !table_info->indexes)
++                continue;
+ 
+             switch (table_info->colnum) {
+             case NSLOGGING_TYPE:
+diff --git a/agent/mibgroup/agent/nsVacmAccessTable.c b/agent/mibgroup/agent/nsVacmAccessTable.c
+index cc61fce7e6..6c43210074 100644
+--- a/agent/mibgroup/agent/nsVacmAccessTable.c
++++ b/agent/mibgroup/agent/nsVacmAccessTable.c
+@@ -170,9 +170,13 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+             entry = (struct vacm_accessEntry *)
+                 netsnmp_extract_iterator_context(request);
+             table_info = netsnmp_extract_table_info(request);
++            if (!table_info || !table_info->indexes)
++                continue;
+ 
+             /* Extract the authType token from the list of indexes */
+             idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
++            if (idx->val_len >= sizeof(atype))
++                continue;
+             memset(atype, 0, sizeof(atype));
+             memcpy(atype, (char *)idx->val.string, idx->val_len);
+             viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
+@@ -212,6 +216,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+             entry = (struct vacm_accessEntry *)
+                 netsnmp_extract_iterator_context(request);
+             table_info = netsnmp_extract_table_info(request);
++            if (!table_info || !table_info->indexes)
++                continue;
+             ret = SNMP_ERR_NOERROR;
+ 
+             switch (table_info->colnum) {
+@@ -247,6 +253,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+                  * Extract the authType token from the list of indexes
+                  */
+                 idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
++                if (idx->val_len >= sizeof(atype))
++                    continue;
+                 memset(atype, 0, sizeof(atype));
+                 memcpy(atype, (char *)idx->val.string, idx->val_len);
+                 viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
+@@ -294,8 +302,10 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+                          idx = idx->next_variable;  model = *idx->val.integer;
+                          idx = idx->next_variable;  level = *idx->val.integer;
+                          entry = vacm_createAccessEntry( gName, cPrefix, model, level );
+-                         entry->storageType = ST_NONVOLATILE;
+-                         netsnmp_insert_iterator_context(request, (void*)entry);
++                         if (entry) {
++                             entry->storageType = ST_NONVOLATILE;
++                             netsnmp_insert_iterator_context(request, (void*)entry);
++                         }
+                     }
+                 }
+             }
+@@ -321,6 +331,8 @@ nsVacmAccessTable_handler(netsnmp_mib_handler *handler,
+ 
+             /* Extract the authType token from the list of indexes */
+             idx = table_info->indexes->next_variable->next_variable->next_variable->next_variable;
++            if (idx->val_len >= sizeof(atype))
++                continue;
+             memset(atype, 0, sizeof(atype));
+             memcpy(atype, (char *)idx->val.string, idx->val_len);
+             viewIdx = se_find_value_in_slist(VACM_VIEW_ENUM_NAME, atype);
+diff --git a/agent/mibgroup/mibII/vacm_vars.c b/agent/mibgroup/mibII/vacm_vars.c
+index 469a1eba59..62c9a3d051 100644
+--- a/agent/mibgroup/mibII/vacm_vars.c
++++ b/agent/mibgroup/mibII/vacm_vars.c
+@@ -997,6 +997,9 @@ access_parse_oid(oid * oidIndex, size_t oidLen,
+         return 1;
+     }
+     groupNameL = oidIndex[0];
++    if ((groupNameL + 1) > (int) oidLen) {
++        return 1;
++    }
+     contextPrefixL = oidIndex[groupNameL + 1];  /* the initial name length */
+     if ((int) oidLen != groupNameL + contextPrefixL + 4) {
+         return 1;
+diff --git a/agent/mibgroup/snmpv3/usmUser.c b/agent/mibgroup/snmpv3/usmUser.c
+index 0f52aaba49..0edea53cfb 100644
+--- a/agent/mibgroup/snmpv3/usmUser.c
++++ b/agent/mibgroup/snmpv3/usmUser.c
+@@ -1505,8 +1505,6 @@ write_usmUserStatus(int action,
+                 if (usmStatusCheck(uptr)) {
+                     uptr->userStatus = RS_ACTIVE;
+                 } else {
+-                    SNMP_FREE(engineID);
+-                    SNMP_FREE(newName);
+                     return SNMP_ERR_INCONSISTENTVALUE;
+                 }
+             } else if (long_ret == RS_CREATEANDWAIT) {

backport-0002-CVE-2022-24805-24806-24807-24808-24809-24810.patch

@@ -0,0 +1,31 @@
+From 9a0cd7c00947d5e1c6ceb54558d454f87c3b8341 Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Tue, 24 Aug 2021 07:55:00 -0700
+Subject: [PATCH] CHANGES: snmpd: recover SET status from delegated request
+
+Reported by: Yu Zhang of VARAS@IIE, Nanyu Zhong of VARAS@IIE
+Fixes by: Arista Networks
+
+When a SET request includes a mix of delegated and
+non-delegated requests (e.g., objects handled by master
+agent and agentx sub-agent), the status can get lost while
+waiting for the reply from the sub-agent.  Recover the status
+into the session from the requests even if it has already
+been processed.
+---
+ agent/snmp_agent.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
+index 84fbb42b47..095ee70985 100644
+--- a/agent/snmp_agent.c
++++ b/agent/snmp_agent.c
+@@ -2965,7 +2965,7 @@ netsnmp_check_requests_status(netsnmp_agent_session *asp,
+         if (requests->status != SNMP_ERR_NOERROR &&
+             (!look_for_specific || requests->status == look_for_specific)
+             && (look_for_specific || asp->index == 0
+-                || requests->index < asp->index)) {
++                || requests->index <= asp->index)) {
+             asp->index = requests->index;
+             asp->status = requests->status;
+         }

backport-CVE-2022-44792_CVE-2022-44793.patch

@@ -0,0 +1,128 @@
+From 4589352dac3ae111c7621298cf231742209efd9b Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Fri, 25 Nov 2022 08:41:24 -0800
+Subject: [PATCH 1/3] snmp_agent: disallow SET with NULL varbind
+
+---
+ agent/snmp_agent.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+diff --git a/agent/snmp_agent.c b/agent/snmp_agent.c
+index 867d0c166f..3f678fe2df 100644
+--- a/agent/snmp_agent.c
++++ b/agent/snmp_agent.c
+@@ -3719,12 +3719,44 @@ netsnmp_handle_request(netsnmp_agent_session *asp, int status)
+     return 1;
+ }
+ 
++static int
++check_set_pdu_for_null_varbind(netsnmp_agent_session *asp)
++{
++    int i;
++    netsnmp_variable_list *v = NULL;
++
++    for (i = 1, v = asp->pdu->variables; v != NULL; i++, v = v->next_variable) {
++	if (v->type == ASN_NULL) {
++	    /*
++	     * Protect SET implementations that do not protect themselves
++	     * against wrong type.
++	     */
++	    DEBUGMSGTL(("snmp_agent", "disallowing SET with NULL var for varbind %d\n", i));
++	    asp->index = i;
++	    return SNMP_ERR_WRONGTYPE;
++	}
++    }
++    return SNMP_ERR_NOERROR;
++}
++
+ int
+ handle_pdu(netsnmp_agent_session *asp)
+ {
+     int             status, inclusives = 0;
+     netsnmp_variable_list *v = NULL;
+ 
++#ifndef NETSNMP_NO_WRITE_SUPPORT
++    /*
++     * Check for ASN_NULL in SET request
++     */
++    if (asp->pdu->command == SNMP_MSG_SET) {
++	status = check_set_pdu_for_null_varbind(asp);
++	if (status != SNMP_ERR_NOERROR) {
++	    return status;
++	}
++    }
++#endif /* NETSNMP_NO_WRITE_SUPPORT */
++
+     /*
+      * for illegal requests, mark all nodes as ASN_NULL 
+      */
+
+From 7f4ac4051cc7fec6a5944661923acb95cec359c7 Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Fri, 25 Nov 2022 08:41:46 -0800
+Subject: [PATCH 2/3] apps: snmpset: allow SET with NULL varbind for testing
+
+---
+ apps/snmpset.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/apps/snmpset.c b/apps/snmpset.c
+index 48e14bd513..d542713e1b 100644
+--- a/apps/snmpset.c
++++ b/apps/snmpset.c
+@@ -182,6 +182,7 @@ main(int argc, char *argv[])
+             case 'x':
+             case 'd':
+             case 'b':
++            case 'n': /* undocumented */
+ #ifdef NETSNMP_WITH_OPAQUE_SPECIAL_TYPES
+             case 'I':
+             case 'U':
+
+From 15f9d7f7e5b90c9b419832ed8e6413feb6570d83 Mon Sep 17 00:00:00 2001
+From: Bill Fenner <fenner@gmail.com>
+Date: Fri, 25 Nov 2022 10:23:32 -0800
+Subject: [PATCH 3/3] Add test for NULL varbind set
+
+---
+ .../default/T0142snmpv2csetnull_simple        | 31 +++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+ create mode 100644 testing/fulltests/default/T0142snmpv2csetnull_simple
+
+diff --git a/testing/fulltests/default/T0142snmpv2csetnull_simple b/testing/fulltests/default/T0142snmpv2csetnull_simple
+new file mode 100644
+index 0000000000..0f1b8f386b
+--- /dev/null
++++ b/testing/fulltests/default/T0142snmpv2csetnull_simple
+@@ -0,0 +1,31 @@
++#!/bin/sh
++
++. ../support/simple_eval_tools.sh
++
++HEADER SNMPv2c set of system.sysContact.0 with NULL varbind
++
++SKIPIF NETSNMP_DISABLE_SET_SUPPORT
++SKIPIF NETSNMP_NO_WRITE_SUPPORT
++SKIPIF NETSNMP_DISABLE_SNMPV2C
++SKIPIFNOT USING_MIBII_SYSTEM_MIB_MODULE
++
++#
++# Begin test
++#
++
++# standard V2C configuration: testcomunnity
++snmp_write_access='all'
++. ./Sv2cconfig
++STARTAGENT
++
++CAPTURE "snmpget -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0"
++
++CHECK ".1.3.6.1.2.1.1.4.0 = STRING:"
++
++CAPTURE "snmpset -On $SNMP_FLAGS -c testcommunity -v 2c $SNMP_TRANSPORT_SPEC:$SNMP_TEST_DEST$SNMP_SNMPD_PORT .1.3.6.1.2.1.1.4.0 n x"
++
++CHECK "Reason: wrongType"
++
++STOPAGENT
++
++FINISHED

backport-IF-MIB-Add-a-trailing-newline-to-an-error-message.patch

@@ -0,0 +1,26 @@
+From 2cd0e7d72a76ba27a18315b9ae67e6ed6d2c464a Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Mon, 9 Aug 2021 13:38:36 -0700
+Subject: [PATCH] IF-MIB: Add a trailing newline to an error message
+
+Fixes: 8bb544fbd2d6 ("Linux: IF-MIB: Fix a memory leak")
+---
+ agent/mibgroup/if-mib/data_access/interface_linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/agent/mibgroup/if-mib/data_access/interface_linux.c b/agent/mibgroup/if-mib/data_access/interface_linux.c
+index e56cadf46..5322ee937 100644
+--- a/agent/mibgroup/if-mib/data_access/interface_linux.c
++++ b/agent/mibgroup/if-mib/data_access/interface_linux.c
+@@ -927,7 +927,7 @@ netsnmp_arch_interface_container_load(netsnmp_container* container,
+             netsnmp_interface_entry *existing =
+                 CONTAINER_FIND(container, entry);
+             NETSNMP_LOGONCE((LOG_WARNING,
+-                             "Encountered interface with index %" NETSNMP_PRIz "u twice: %s <> %s",
++                             "Encountered interface with index %" NETSNMP_PRIz "u twice: %s <> %s\n",
+                              entry->index, existing ? existing->name : "(?)",
+                              entry->name));
+             netsnmp_access_interface_entry_free(entry);
+-- 
+2.33.0
+

backport-IF-MIB-Fix-a-recently-introduced-use-after-free.patch

@@ -0,0 +1,54 @@
+From d4b58c60367a262d829eb33e7888d28cd4337481 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Thu, 5 Aug 2021 18:56:50 -0700
+Subject: [PATCH] IF-MIB: Fix a recently introduced use-after-free
+
+Do not free the netsnmp_interface_entry corresponding to the previous line
+from /proc/dev/net if an interface disappeared. Additionally, reduce the
+scope of the 'entry' variable.
+
+Fixes: 600c54135b10 ("IF-MIB, IP-FORWARD-MIB: Improve robustness")
+---
+ agent/mibgroup/if-mib/data_access/interface_linux.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/agent/mibgroup/if-mib/data_access/interface_linux.c b/agent/mibgroup/if-mib/data_access/interface_linux.c
+index 9d9b2ceb3..ea7389682 100644
+--- a/agent/mibgroup/if-mib/data_access/interface_linux.c
++++ b/agent/mibgroup/if-mib/data_access/interface_linux.c
+@@ -609,7 +609,6 @@ netsnmp_arch_interface_container_load(netsnmp_container* container,
+ {
+     FILE           *devin;
+     char            line[256];
+-    netsnmp_interface_entry *entry = NULL;
+     static char     scan_expected = 0;
+     int             fd;
+     int             interfaces = 0;
+@@ -690,6 +689,7 @@ netsnmp_arch_interface_container_load(netsnmp_container* container,
+      *   and retrieve (or create) the corresponding data structure.
+      */
+     while (fgets(line, sizeof(line), devin)) {
++        netsnmp_interface_entry *entry = NULL;
+         char           *stats, *ifstart = line;
+         u_int           flags;
+         oid             if_index;
+@@ -738,7 +738,7 @@ netsnmp_arch_interface_container_load(netsnmp_container* container,
+         if (if_index == 0) {
+             DEBUGMSGTL(("access:interface", "network interface %s is gone",
+                         ifstart));
+-            goto free_entry;
++            continue;
+         }
+ #ifdef NETSNMP_ENABLE_IPV6
+         _arch_interface_has_ipv6(if_index, &flags, addr_container);
+@@ -933,7 +933,6 @@ netsnmp_arch_interface_container_load(netsnmp_container* container,
+                              "Encountered interface with index %" NETSNMP_PRIz "u twice: %s <> %s",
+                              entry->index, existing ? existing->name : "(?)",
+                              entry->name));
+-free_entry:
+             netsnmp_access_interface_entry_free(entry);
+         }
+     }
+-- 
+2.33.0
+

backport-IF-MIB-IP-FORWARD-MIB-Improve-robustness.patch

@@ -0,0 +1,80 @@
+From 600c54135b1015d56070f702d878772dd9f0d51e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Mon, 2 Aug 2021 19:04:31 -0700
+Subject: [PATCH] IF-MIB, IP-FORWARD-MIB: Improve robustness
+
+It can happen that a network interface disappears after scanning has started
+and before netsnmp_arch_interface_index_find() or another query function is
+called. If that happens, ignore the network interface silently.
+---
+ agent/mibgroup/if-mib/data_access/interface_linux.c   |  7 ++++++-
+ .../mibgroup/ip-forward-mib/data_access/route_linux.c | 11 ++++++-----
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/agent/mibgroup/if-mib/data_access/interface_linux.c b/agent/mibgroup/if-mib/data_access/interface_linux.c
+index 215b30e80..7e4a35130 100644
+--- a/agent/mibgroup/if-mib/data_access/interface_linux.c
++++ b/agent/mibgroup/if-mib/data_access/interface_linux.c
+@@ -734,7 +734,11 @@ netsnmp_arch_interface_container_load(netsnmp_container* container,
+          * knows a better way, put it here!
+          */
+         if_index = netsnmp_arch_interface_index_find(ifstart);
+-        netsnmp_assert(if_index != 0);
++        if (if_index == 0) {
++            DEBUGMSGTL(("access:interface", "network interface %s is gone",
++                        ifstart));
++            goto free_entry;
++        }
+ #ifdef NETSNMP_ENABLE_IPV6
+         _arch_interface_has_ipv6(if_index, &flags, addr_container);
+ #endif
+@@ -928,6 +932,7 @@ netsnmp_arch_interface_container_load(netsnmp_container* container,
+                              "Encountered interface with index %" NETSNMP_PRIz "u twice: %s <> %s",
+                              entry->index, existing ? existing->name : "(?)",
+                              entry->name));
++free_entry:
+             netsnmp_access_interface_entry_free(entry);
+         }
+     }
+diff --git a/agent/mibgroup/ip-forward-mib/data_access/route_linux.c b/agent/mibgroup/ip-forward-mib/data_access/route_linux.c
+index 956e127c9..9b6a63ead 100644
+--- a/agent/mibgroup/ip-forward-mib/data_access/route_linux.c
++++ b/agent/mibgroup/ip-forward-mib/data_access/route_linux.c
+@@ -97,9 +97,7 @@ _load_ipv4(netsnmp_container* container, u_long *index )
+             snmp_log(LOG_ERR,
+                      "/proc/net/route data format error (%d!=8), line ==|%s|",
+                      rc, line);
+-            
+-            netsnmp_access_route_entry_free(entry);        
+-            continue;
++            goto free_entry;
+         }
+ 
+         /*
+@@ -114,9 +112,12 @@ _load_ipv4(netsnmp_container* container, u_long *index )
+          * but since that will open/close a socket, and we might
+          * have a lot of routes, call the ioctl routine directly.
+          */
+-        if ('*' != name[0])
++        if ('*' != name[0]) {
+             entry->if_index =
+                 netsnmp_access_interface_ioctl_ifindex_get(fd,name);
++            if (entry->if_index == 0)
++                goto free_entry;
++        }
+ 
+         /*
+          * arbitrary index
+@@ -186,8 +187,8 @@ _load_ipv4(netsnmp_container* container, u_long *index )
+         if (CONTAINER_INSERT(container, entry) < 0)
+         {
+             DEBUGMSGTL(("access:route:container", "error with route_entry: insert into container failed.\n"));
++free_entry:
+             netsnmp_access_route_entry_free(entry);
+-            continue;
+         }
+     }
+ 
+-- 
+2.33.0
+

backport-Linux-IF-MIB-Fix-a-memory-leak.patch

@@ -0,0 +1,37 @@
+From 8bb544fbd2d6986a9b73d3fab49235a4baa96c23 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sat, 31 Jul 2021 16:21:16 -0700
+Subject: [PATCH] Linux: IF-MIB: Fix a memory leak
+
+The Linux kernel regenerates proc files in their entirety every time a 4 KiB
+boundary is crossed. This can result in reading the same network interface
+twice if network information changes while it is being read. Fix a memory
+leak that can be triggered if /proc/net/dev changes while being read.
+---
+ agent/mibgroup/if-mib/data_access/interface_linux.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/agent/mibgroup/if-mib/data_access/interface_linux.c b/agent/mibgroup/if-mib/data_access/interface_linux.c
+index e99360a21..215b30e80 100644
+--- a/agent/mibgroup/if-mib/data_access/interface_linux.c
++++ b/agent/mibgroup/if-mib/data_access/interface_linux.c
+@@ -921,7 +921,15 @@ netsnmp_arch_interface_container_load(netsnmp_container* container,
+         /*
+          * add to container
+          */
+-        CONTAINER_INSERT(container, entry);
++        if (CONTAINER_INSERT(container, entry) != 0) {
++            netsnmp_interface_entry *existing =
++                CONTAINER_FIND(container, entry);
++            NETSNMP_LOGONCE((LOG_WARNING,
++                             "Encountered interface with index %" NETSNMP_PRIz "u twice: %s <> %s",
++                             entry->index, existing ? existing->name : "(?)",
++                             entry->name));
++            netsnmp_access_interface_entry_free(entry);
++        }
+     }
+ #ifdef NETSNMP_ENABLE_IPV6
+     netsnmp_access_ipaddress_container_free(addr_container, 0);
+-- 
+2.33.0
+

backport-Linux-IF-MIB-Pass-the-network-interface-index-to-net.patch

@@ -0,0 +1,40 @@
+From 8da919e4ad66dec376f54a6d2f7dd7a7fe68b8f0 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Sat, 31 Jul 2021 16:01:11 -0700
+Subject: [PATCH] Linux: IF-MIB: Pass the network interface index to
+ netsnmp_access_interface_entry_create()
+
+Instead of letting netsnmp_access_interface_entry_create() call
+netsnmp_arch_interface_index_find() a second time, pass the network interface
+index to that function.
+---
+ agent/mibgroup/if-mib/data_access/interface_linux.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/agent/mibgroup/if-mib/data_access/interface_linux.c b/agent/mibgroup/if-mib/data_access/interface_linux.c
+index 9c96eb92d..e99360a21 100644
+--- a/agent/mibgroup/if-mib/data_access/interface_linux.c
++++ b/agent/mibgroup/if-mib/data_access/interface_linux.c
+@@ -733,8 +733,9 @@ netsnmp_arch_interface_container_load(netsnmp_container* container,
+          * ip version is to look for ip addresses. If anyone
+          * knows a better way, put it here!
+          */
+-#ifdef NETSNMP_ENABLE_IPV6
+         if_index = netsnmp_arch_interface_index_find(ifstart);
++        netsnmp_assert(if_index != 0);
++#ifdef NETSNMP_ENABLE_IPV6
+         _arch_interface_has_ipv6(if_index, &flags, addr_container);
+ #endif
+         netsnmp_access_interface_ioctl_has_ipv4(fd, ifstart, 0, &flags, &ifc);
+@@ -752,7 +753,7 @@ netsnmp_arch_interface_container_load(netsnmp_container* container,
+             continue;
+         }
+ 
+-        entry = netsnmp_access_interface_entry_create(ifstart, 0);
++        entry = netsnmp_access_interface_entry_create(ifstart, if_index);
+         if(NULL == entry) {
+ #ifdef NETSNMP_ENABLE_IPV6
+             netsnmp_access_ipaddress_container_free(addr_container, 0);
+-- 
+2.33.0
+

backport-libsnmp-Fix-a-buffer-overflow-in-setup_engineID.patch

@@ -0,0 +1,33 @@
+From fbdf2ed2e0bb06050d314e008a34d9ecdb84be17 Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bvanassche@acm.org>
+Date: Mon, 28 Oct 2024 09:21:45 -0700
+Subject: [PATCH] libsnmp: Fix a buffer overflow in setup_engineID()
+
+See also https://github.com/net-snmp/net-snmp/issues/732.
+
+Conflict:NA
+Reference:https://github.com/net-snmp/net-snmp/commit/fbdf2ed2e0bb06050d314e008a34d9ecdb84be17
+
+diff --git a/snmplib/snmpv3.c b/snmplib/snmpv3.c
+index ebb9a9caef..f453ad8fbe 100644
+--- a/snmplib/snmpv3.c
++++ b/snmplib/snmpv3.c
+@@ -580,8 +580,13 @@ setup_engineID(u_char ** eidp, const char *text)
+     /*
+      * Allocate memory and store enterprise ID.
+      */
+-    if ((bufp = (u_char *) calloc(1, len)) == NULL) {
+-        snmp_log_perror("setup_engineID malloc");
++    if (len == 0) {
++        snmp_log(LOG_ERR, "%s(): len == 0\n", __func__);
++        return -1;
++    }
++    bufp = calloc(1, len);
++    if (bufp == NULL) {
++        snmp_log_perror("setup_engineID() calloc()");
+         return -1;
+     }
+     if (localEngineIDType == ENGINEID_TYPE_NETSNMP_RND)
+-- 
+2.33.0
+

backport-snmplib-Handle-two-oldEngineID-lines-in-snmpd.conf.-.patch

@@ -0,0 +1,28 @@
+From 20879e824851a7a188eac50fd34aac04113d7432 Mon Sep 17 00:00:00 2001
+From: Niels Baggesen <nba@users.sourceforge.net>
+Date: Thu, 1 Jun 2023 11:12:34 +0200
+Subject: [PATCH] snmplib: Handle two oldEngineID lines in snmpd.conf. Fixes
+ #578
+
+Conflict:NA
+Reference:https://github.com/net-snmp/net-snmp/commit/20879e824851a7a188eac50fd34aac04113d7432
+
+diff --git a/snmplib/snmpv3.c b/snmplib/snmpv3.c
+index 2dd527544f..be9256fa11 100644
+--- a/snmplib/snmpv3.c
++++ b/snmplib/snmpv3.c
+@@ -862,6 +862,11 @@ version_conf(const char *word, char *cptr)
+ void
+ oldengineID_conf(const char *word, char *cptr)
+ {
++    if (oldEngineID) {
++        free(oldEngineID);
++        oldEngineID = NULL;
++        oldEngineIDLength = 0;
++    }
+     read_config_read_octet_string(cptr, &oldEngineID, &oldEngineIDLength);
+ }
+ 
+-- 
+2.33.0
+

net-snmp.spec

@@ -3,7 +3,7 @@
 
 Name:            net-snmp
 Version:         5.9.1
-Release:         2
+Release:         7
 Epoch:           1
 Summary:         SNMP Daemon
 License:         BSD
@@ -47,10 +47,20 @@ Patch30:         backport-libsnmp-Fix-a-memory-leak-in-a-MIB-parser-error-path.p
 Patch31:         backport-libsnmp-Fix-the-getoid-error-path.patch
 Patch32:         backport-Python-Fix-snmpwalk-with-UseNumeric-1.patch
 Patch33:         backport-net-snmp-5.9.1-autoconf.patch
+Patch34:         backport-0001-CVE-2022-24805-24806-24807-24808-24809-24810.patch
+Patch35:         backport-0002-CVE-2022-24805-24806-24807-24808-24809-24810.patch
+Patch36:         backport-Linux-IF-MIB-Pass-the-network-interface-index-to-net.patch
+Patch37:         backport-Linux-IF-MIB-Fix-a-memory-leak.patch
+Patch38:         backport-IF-MIB-IP-FORWARD-MIB-Improve-robustness.patch
+Patch39:         backport-IF-MIB-Fix-a-recently-introduced-use-after-free.patch
+Patch40:         backport-IF-MIB-Add-a-trailing-newline-to-an-error-message.patch
+Patch41:         backport-CVE-2022-44792_CVE-2022-44793.patch
+Patch42:         backport-snmplib-Handle-two-oldEngineID-lines-in-snmpd.conf.-.patch
+Patch43:         backport-libsnmp-Fix-a-buffer-overflow-in-setup_engineID.patch
 
 %{?systemd_requires}
 BuildRequires:   systemd gcc openssl-devel bzip2-devel elfutils-devel libselinux-devel
-BuildRequires:   elfutils-libelf-devel rpm-devel perl-devel perl(ExtUtils::Embed) procps pcre-devel
+BuildRequires:   elfutils-libelf-devel rpm-devel perl-devel perl(ExtUtils::Embed) procps
 BuildRequires:   python3-devel python3-setuptools chrpath mariadb-connector-c-devel net-tools
 BuildRequires:   perl(TAP::Harness) lm_sensors-devel autoconf automake
 Requires:        perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
@@ -136,7 +146,7 @@ MIBS="host agentx smux \
      ip-mib/ipv6ScopeZoneIndexTable ip-mib/ipIfStatsTable \
      sctp-mib rmon-mib etherlike-mib"
 MIBS="$MIBS ucd-snmp/lmsensorsMib"
-%configure  --enable-shared --enable-as-needed  --enable-embedded-perl \
+%configure --with-pcre=no --enable-shared --enable-as-needed  --enable-embedded-perl \
     --enable-ipv6  --enable-local-smux --enable-mfd-rewrites \
     --enable-ucd-snmp-compatibility --sysconfdir=%{_sysconfdir} \
     --with-cflags="$RPM_OPT_FLAGS -D_RPM_4_4_COMPAT" \
@@ -326,6 +336,41 @@ LD_LIBRARY_PATH=%{buildroot}/%{_libdir} make test
 %{_mandir}/man1/fixproc*
 
 %changelog
+* Tue Oct 29 2024 xingwei <xingwei14@h-partners.com> - 1:5.9.1-7
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Sync upstream patches to fix Buffer overflow
+
+* Wed May 24 2023 xingwei <xingwei14@h-partners.com> - 1:5.9.1-6
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:remove pcre dependency
+
+* Fri Dec 30 2022 gaihuiying <eaglegai@163.com> - 1:5.9.1-5
+- Type:CVE
+- CVE:CVE-2022-44792 CVE-2022-44793
+- SUG:NA
+- DESC:fix CVE-2022-44792 CVE-2022-44793
+
+* Fri Sep 30 2022 xingwei <xingwei14@h-partners.com> - 1:5.9.1-4
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC: IF-MIB, IP-FORWARD-MIB: Improve robustness
+        IF-MIB: pass the network interface index to net
+        IF-MIB: fix a memory leak
+        IF-MIB: fix a recently introduced use after free
+        IF-MIB: add a trailing newline to an error message
+
+* Sat Aug 27 2022 gaihuiying <eaglegai@163.com> - 1:5.9.1-3
+- Type:CVE
+- CVE:CVE-2022-24805 CVE-2022-24806 CVE-2022-24807 CVE-2022-24808 CVE-2022-24809 CVE-2022-24810
+- SUG:NA
+- DESC:fix CVE-2022-24805 CVE-2022-24806 CVE-2022-24807
+           CVE-2022-24808 CVE-2022-24809 CVE-2022-24810
+
 * Mon Aug 08 2022 gaihuiying <eaglegai@163.com> - 1:5.9.1-2
 - Type:bugfix
 - CVE:NA