net-snmp

The forum address has changed, you have been automatically redirected. Please update any bookmarks to use the new URL.

Tracker: Bugs

6 snmp_get limits ASN1 OCTETSTRING length [CVE-2008-2292] - ID: 1826174

Last Update: Comment added ( tanders )

Details:

Location : perl/SNMP/SNMP.xs.

snmp_get crashes on AVPs with (e.g.) an OCTETSTRING bigger than roughly
4096 (5.4.1, 5.2.4) or 2048 (5.1.4) bytes, which is a highly arbitrary
limitation, looking at the source code and how the buffer size is
determined. It should handle at least up to 64 K, really (max. UDP packet
payload size), or malloc() properly.

John Kortink

Submitted:

John Kortink (mBalance) ( john_kortink_mb ) - 2007-11-05 16:26

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Dave Shield

Category:

perl

Group:

None

Visibility:

Public

Comments ( 7 )

Date: 2008-09-04 23:07 Sender: tanders The r16962 python fix had a problem which has been fixed in r17207.
Date: 2008-05-25 00:13 Sender: tanders There's a similar problem with the Python interface which has been fixed in SVN Rev. 16962. The fix will be in 5.4.2.pre2, 5.5 and later.
Date: 2008-05-21 22:53 Sender: tanders CVE-2008-2292 has been assigned for this bug. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292 .
Date: 2007-12-22 19:23 Sender: dts12 SVN Revision 16770
Date: 2007-12-22 19:23 Sender: dts12 Thanks for the bug report! We've fixed the problem in the 5.2.x, 5.3.x and 5.4.x code branches and the main development tree, so it should be fixed in future releases of the Net-SNMP package.
Date: 2007-11-19 10:30 Sender: john_kortink_mb E.g. for 5.2.4, perl/SNMP/SNMP.xs line 3339. Although __snprint_value is passed the buffer's size, for some reason it then disregards it by blindly memcpy-ing an ASN_OCTET_STR into it : kaboom. It seems rather pointless to copy the value into an intermediate buffer anyway, since it's copied verbatim. It's in all versions, including 5.4.1.
Date: 2007-11-16 21:21 Sender: dts12 Could you possibly pinpoint exactly where this limit is applied in the perl code? I've had a quick look at the code, and can't immediately see where the value is handled. I'm sure we could find it eventually, but if you can point us in the right direction, this problem is more likely to get addressed relatively promptly.

Attached File

Changes ( 6 )

Field	Old Value	Date	By
assigned_to	nobody	2008-05-25 00:13	tanders
priority	5	2008-05-21 22:53	tanders
summary	snmp_get limits ASN1 OCTETSTRING length	2008-05-21 22:53	tanders
status_id	Open	2007-12-22 19:23	dts12
resolution_id	None	2007-12-22 19:23	dts12
close_date	-	2007-12-22 19:23	dts12

net-snmp

The forum address has changed, you have been automatically redirected. Please update any bookmarks to use the new URL.

Tracker: Bugs

Comments ( 7 )

Attached File

No Files Currently Attached

Changes ( 6 )

About SourceForge

Find Software

Develop Software

Community

Help