Menu
▾
▴
#1894 snmp_get limits ASN1 OCTETSTRING length [CVE-2008-2292]
Location : perl/SNMP/SNMP.xs.
snmp_get crashes on AVPs with (e.g.) an OCTETSTRING bigger than roughly 4096 (5.4.1, 5.2.4) or 2048 (5.1.4) bytes, which is a highly arbitrary limitation, looking at the source code and how the buffer size is determined. It should handle at least up to 64 K, really (max. UDP packet payload size), or malloc() properly.
John Kortink
Logged In: YES
user_id=88893
Originator: NO
Could you possibly pinpoint exactly where this limit
is applied in the perl code? I've had a quick look
at the code, and can't immediately see where the value
is handled.
I'm sure we could find it eventually, but if you
can point us in the right direction, this problem is
more likely to get addressed relatively promptly.
Logged In: YES
user_id=1682342
Originator: YES
E.g. for 5.2.4, perl/SNMP/SNMP.xs line 3339.
Although __snprint_value is passed the buffer's size, for some reason it then disregards it by blindly memcpy-ing an ASN_OCTET_STR into it : kaboom. It seems rather pointless to copy the value into an intermediate buffer anyway, since it's copied verbatim.
It's in all versions, including 5.4.1.
Logged In: YES
user_id=88893
Originator: NO
SVN Revision 16770
Logged In: YES
user_id=88893
Originator: NO
Thanks for the bug report!
We've fixed the problem in the 5.2.x, 5.3.x
and 5.4.x code branches and the main development
tree, so it should be fixed in future releases
of the Net-SNMP package.
Logged In: YES
user_id=848638
Originator: NO
CVE-2008-2292 has been assigned for this bug. See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292 .
Logged In: YES
user_id=848638
Originator: NO
There's a similar problem with the Python interface which has been fixed in SVN Rev. 16962.
The fix will be in 5.4.2.pre2, 5.5 and later.
Logged In: YES
user_id=848638
Originator: NO
The r16962 python fix had a problem which has been fixed in r17207.