Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo


#2525 5.7.2 will crash/overflow when processing argv greater than BUFSIZ in swrun_kinfo.c

Ryan Steinmetz

5.7.2 will crash if a running process has arguments that are longer than BUFSIZ. An easy way to recreate this is to create a shell script with:
sleep 9999

in it and then call it with:

./test.sh a really long string here

Then, run snmpwalk against the host. snmpd will crash.

In agent/mibgroup/host/data_access/swrun_kinfo.c, we use strcat() and will overflow the buffer (buf) if argv is larger than BUFSIZ bytes.

The attached patch will truncate anything beyond BUFSIZ and prevent snmpd from crashing.

1 Attachments


  • Niels Baggesen
    Niels Baggesen

    • status: open --> duplicate
    • assigned_to: Niels Baggesen
  • Niels Baggesen
    Niels Baggesen

    Thanks for the report.
    This problem has already been fixed by the patch attached to bug 2286.

  • Ryan Steinmetz
    Ryan Steinmetz

    This bug still exists even with the patch from 2286. It is caused by us adding spaces (via strcat()) in the while() loop when iterating through argv:

        buf[0] = '\0';
        buf[1] = '\0';
        if (argv)
            argv++;    /* Skip argv[0] */
        while ( argv && *argv ) {
            strcat(buf, " ");
            strcat(buf, *argv);

    The patch from #2286 only limits the number of characters returned, but does not factor in that we loop through the arguments and insert spaces between them when building the string that we place into 'buf'.

    2286 also does not factor in that we consume the first two bytes with NULLs.

    Last edit: Ryan Steinmetz 2014-02-25
  • Ryan Steinmetz
    Ryan Steinmetz

    I think this is a more complete patch than the one from #2286.

    Reproducing this is simple: Apply the patch from #2286, then ensure that your arguments string also has a ton of spaces in it and exceeds BUFSIZ characters total.

    Last edit: Ryan Steinmetz 2014-02-24
  • Wes Hardaker
    Wes Hardaker

    Patch applied to 5.5 branches and up. Thank you!