realloc_format_trap expects the second parameter to be the input
buffer's length, but instead it was sent sizeof(char*). When the
host name was shorter than that, realloc_format_trap would write to
unallocated memory, potentially crashing the daemon.
---
apps/snmptrapd_sql.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/apps/snmptrapd_sql.c b/apps/snmptrapd_sql.c
index ccba258..628c9bf 100644
--- a/apps/snmptrapd_sql.c
+++ b/apps/snmptrapd_sql.c
@@ -730,7 +730,7 @@ _sql_save_trap_info(sql_buf *sqlb, netsnmp_pdu *pdu,
/** host name */
buf_host_len_t = 0;
- tmp_size = sizeof(sqlb->host);
+ tmp_size = 0;
realloc_format_trap((u_char**)&sqlb->host, &tmp_size,
&buf_host_len_t, 1, "%B", pdu, transport);
sqlb->host_len = buf_host_len_t;
--
1.7.11.7
------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
