From: SourceForge.net <no...@so...> - 2010-05-19 10:04:08
|
Bugs item #3003981, was opened at 2010-05-19 12:04 Message generated for change (Tracker Item Submitted) made by flup35 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=112694&aid=3003981&group_id=12694 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: security Group: None Status: Open Resolution: None Priority: 5 Private: No Submitted By: flup35 (flup35) Assigned to: Nobody/Anonymous (nobody) Summary: Possibkle buffer overflow in agent_read_config.c Initial Comment: version : 5.4.3.rc3 file : agent_read_config.c OS : Windows/Linux (just based upon reading the code !) When reading the code, in function snmpd_set_agent_address at line 176 of file agent_read_config.c, I see that buf is declared as char buf[SPRINT_MAX_LEN]; SPRINT_MAX_LEN has the value 2560 However, at line 189, the newly read value is appended *without any overflow protection* to that stack variable named buf. I suggest snprintf or sprintf_s is used (depending upon the used OS) THIS IS A POTENTIAL SECURITY ISSUE (POSSIBLE BUFFER OVERFLOW EXPLOIT !) ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=112694&aid=3003981&group_id=12694 |