In function _check_range() with range (0..4294967295) can be buffer overflow: while (rp) { if (rp->low <= ltmp && ltmp <= rp->high) break; /* Allow four digits per range value */ ------------- here length of digits belongs from their values ------------- this code is not applicable for range (0..4294967295) temp_len += ((rp->low != rp->high) ? 14 : 8 );
rp = rp->next; } if (!rp) { *resptr = SNMPERR_RANGE; temp = (char *)malloc( temp_len+strlen(errmsg)+7); if ( temp ) { /* Append the Display Hint range information to the error message */ sprintf( temp, "%s :: {", errmsg ); cp = temp+(strlen(temp)); for ( rp = tp->ranges; rp; rp=rp->next ) { if ( rp->low != rp->high ) -------------- here content of the memory can be damaged ----------will be better to change to (%4d..%4d) or get exact length of digits sprintf( cp, "(%d..%d), ", rp->low, rp->high ); else sprintf( cp, "(%d), ", rp->low ); cp += strlen(cp); } *(cp-2) = '}'; /* Replace the final comma with a '}' */ *(cp-1) = 0; snmp_set_detail(temp); free(temp); } return 0; } Aleksandr Lomanov ICQ#: 170411676 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders