Currently ax.c doesn't check the maximum length of an OID ax_pdutooid. This can lead to a buffer overflow. Even though it must be fixed, I don't think there's a big risk here, since an attacker would need to have access to the agentx socket, which by default is disabled and defaults to root:_agentx when enabled.
OK? martijn@ diff --git a/ax.c b/ax.c index 63add68..27580a6 100644 --- a/ax.c +++ b/ax.c @@ -1442,6 +1442,8 @@ ax_pdutooid(struct ax_pdu_header *header, struct ax_oid *oid, } buf++; oid->aoi_include = *buf; + if (oid->aoi_idlen > AX_OID_MAX_LEN) + goto fail; for (buf += 2; i < oid->aoi_idlen; i++, buf += 4) oid->aoi_id[i] = ax_pdutoh32(header, buf);