Currently ax.c doesn't check the maximum length of an OID ax_pdutooid.
This can lead to a buffer overflow. Even though it must be fixed, I
don't think there's a big risk here, since an attacker would need to have
access to the agentx socket, which by default is disabled and defaults
to root:_agentx when enabled.
OK?
martijn@
diff --git a/ax.c b/ax.c
index 63add68..27580a6 100644
--- a/ax.c
+++ b/ax.c
@@ -1442,6 +1442,8 @@ ax_pdutooid(struct ax_pdu_header *header, struct ax_oid
*oid,
}
buf++;
oid->aoi_include = *buf;
+ if (oid->aoi_idlen > AX_OID_MAX_LEN)
+ goto fail;
for (buf += 2; i < oid->aoi_idlen; i++, buf += 4)
oid->aoi_id[i] = ax_pdutoh32(header, buf);
