The code parsing cpuinfo strings could read past end of buffer. Avoid this problem by using only part of the allocated size and null terminating.
Add check for read error. --- agent/mibgroup/hardware/cpu/cpu_linux.c | 33 +++++++++++++++++++++--------- 1 files changed, 23 insertions(+), 10 deletions(-) --- a/agent/mibgroup/hardware/cpu/cpu_linux.c 2009-03-16 16:44:16.324267505 -0700 +++ b/agent/mibgroup/hardware/cpu/cpu_linux.c 2009-03-17 08:39:26.010229361 -0700 @@ -100,7 +100,7 @@ int netsnmp_cpu_arch_load( netsnmp_cache static int bsize = 0; static int first = 1; static int has_cpu_26 = 1; - int statfd, i; + int bytes_read, statfd, i; char *b1, *b2; unsigned long long cusell = 0, cicell = 0, csysll = 0, cidell = 0, ciowll = 0, cirqll = 0, csoftll = 0; @@ -111,18 +111,24 @@ int netsnmp_cpu_arch_load( netsnmp_cache return -1; } if (bsize == 0) { - bsize = 256; - buff = malloc(bsize); + bsize = 255; + buff = malloc(bsize+1); } - while (read(statfd, buff, bsize) == bsize) { + while ((bytes_read = read(statfd, buff, bsize)) == bsize) { bsize += 256; - buff = realloc(buff, bsize); + buff = realloc(buff, bsize+1); DEBUGMSGTL(("cpu", "/proc/stat buffer increased to %d\n", bsize)); close(statfd); statfd = open(STAT_FILE, O_RDONLY, 0); } close(statfd); + if (bytes_read < 0) { + snmp_log_perror(STAT_FILE "read error"); + return -1; + } + buff[bytes_read] = '\0'; + /* * CPU statistics (overall and per-CPU) */ @@ -194,23 +200,28 @@ void _cpu_load_swap_etc( char *buff, net static char *vmbuff = NULL; static int vmbsize = 0; static int first = 1; - int vmstatfd; + int bytes_read,vmstatfd; char *b; unsigned long long pin, pout, swpin, swpout; unsigned long long itot, iticks, ctx; if (has_vmstat && (vmstatfd = open(VMSTAT_FILE, O_RDONLY, 0)) != -1) { if (vmbsize == 0) { - vmbsize = 256; - vmbuff = malloc(vmbsize); + vmbsize = 255; + vmbuff = malloc(vmbsize+1); } - while (read(vmstatfd, vmbuff, vmbsize) == vmbsize) { + while ((bytes_read = read(vmstatfd, vmbuff, vmbsize)) == vmbsize) { vmbsize += 256; vmbuff = realloc(vmbuff, vmbsize); close(vmstatfd); vmstatfd = open(VMSTAT_FILE, O_RDONLY, 0); } close(vmstatfd); + if (bytes_read < 0) { + snmp_log_perror(VMSTAT_FILE "read error"); + has_vmstat = 0; + } else + vmbuff[bytes_read] = '\0'; } else has_vmstat = 0; -- ------------------------------------------------------------------------------ Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are powering Web 2.0 with engaging, cross-platform capabilities. Quickly and easily build your RIAs with Flex Builder, the Eclipse(TM)based development software that enables intelligent coding and step-through debugging. Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com _______________________________________________ Net-snmp-coders mailing list Net-snmp-coders@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/net-snmp-coders