In function _check_range() with range (0..4294967295) can be buffer
overflow:
while (rp) {
if (rp->low <= ltmp && ltmp <= rp->high) break;
/* Allow four digits per range value */
------------- here length of digits belongs from their values
------------- this code is not applicable for range (0..4294967295)
temp_len += ((rp->low != rp->high) ? 14 : 8 );
rp = rp->next;
}
if (!rp) {
*resptr = SNMPERR_RANGE;
temp = (char *)malloc( temp_len+strlen(errmsg)+7);
if ( temp ) {
/* Append the Display Hint range information to the error
message */
sprintf( temp, "%s :: {", errmsg );
cp = temp+(strlen(temp));
for ( rp = tp->ranges; rp; rp=rp->next ) {
if ( rp->low != rp->high )
-------------- here content of the memory can be damaged
----------will be better to change to (%4d..%4d) or get exact length of digits
sprintf( cp, "(%d..%d), ", rp->low, rp->high );
else
sprintf( cp, "(%d), ", rp->low );
cp += strlen(cp);
}
*(cp-2) = '}'; /* Replace the final comma with a '}' */
*(cp-1) = 0;
snmp_set_detail(temp);
free(temp);
}
return 0;
}
Aleksandr Lomanov
ICQ#: 170411676
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
