449894: CVE-2008-2292 net-snmp: buffer overflow in perl module's Perl Module __snprint_value()
Source: upstream, svn diff -r 16769:16770 (+ a little backporting)
Reviewed-By: Jan Safranek <jsafrane@redhat.com>
diff -up net-snmp-5.3.1/perl/SNMP/SNMP.xs.perl-snprintf net-snmp-5.3.1/perl/SNMP/SNMP.xs
--- net-snmp-5.3.1/perl/SNMP/SNMP.xs.perl-snprintf 2008-06-04 11:58:46.000000000 +0200
+++ net-snmp-5.3.1/perl/SNMP/SNMP.xs 2008-06-04 12:00:23.000000000 +0200
@@ -460,14 +460,16 @@ int flag;
if (flag == USE_ENUMS) {
for(ep = tp->enums; ep; ep = ep->next) {
if (ep->value == *var->val.integer) {
- strcpy(buf, ep->label);
+ strncpy(buf, ep->label, buf_len);
+ buf[buf_len-1] = '\0';
len = strlen(buf);
break;
}
}
}
if (!len) {
- sprintf(buf,"%ld", *var->val.integer);
+ snprintf(buf, buf_len, "%ld", *var->val.integer);
+ buf[buf_len-1] = '\0';
len = strlen(buf);
}
break;
@@ -476,21 +478,25 @@ int flag;
case ASN_COUNTER:
case ASN_TIMETICKS:
case ASN_UINTEGER:
- sprintf(buf,"%lu", (unsigned long) *var->val.integer);
+ snprintf(buf, buf_len, "%lu", (unsigned long) *var->val.integer);
+ buf[buf_len-1] = '\0';
len = strlen(buf);
break;
case ASN_OCTET_STR:
case ASN_OPAQUE:
- memcpy(buf, (char*)var->val.string, var->val_len);
len = var->val_len;
+ if ( len > buf_len )
+ len = buf_len;
+ memcpy(buf, (char*)var->val.string, len);
break;
case ASN_IPADDRESS:
- ip = (u_char*)var->val.string;
- sprintf(buf, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
- len = strlen(buf);
- break;
+ ip = (u_char*)var->val.string;
+ snprintf(buf, buf_len, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+ buf[buf_len-1] = '\0';
+ len = strlen(buf);
+ break;
case ASN_NULL:
break;
@@ -502,14 +508,14 @@ int flag;
break;
case SNMP_ENDOFMIBVIEW:
- sprintf(buf,"%s", "ENDOFMIBVIEW");
- break;
+ snprintf(buf, buf_len, "%s", "ENDOFMIBVIEW");
+ break;
case SNMP_NOSUCHOBJECT:
- sprintf(buf,"%s", "NOSUCHOBJECT");
- break;
+ snprintf(buf, buf_len, "%s", "NOSUCHOBJECT");
+ break;
case SNMP_NOSUCHINSTANCE:
- sprintf(buf,"%s", "NOSUCHINSTANCE");
- break;
+ snprintf(buf, buf_len, "%s", "NOSUCHINSTANCE");
+ break;
case ASN_COUNTER64:
#ifdef OPAQUE_SPECIAL_TYPES
@@ -528,16 +534,16 @@ int flag;
#endif
case ASN_BIT_STR:
- snprint_bitstring(buf, sizeof(buf), var, NULL, NULL, NULL);
+ snprint_bitstring(buf, buf_len, var, NULL, NULL, NULL);
len = strlen(buf);
break;
#ifdef OPAQUE_SPECIAL_TYPES
case ASN_OPAQUE_FLOAT:
if (var->val.floatVal)
- sprintf(buf,"%f", *var->val.floatVal);
+ snprintf(buf, buf_len, "%f", *var->val.floatVal);
break;
case ASN_OPAQUE_DOUBLE:
if (var->val.doubleVal)
- sprintf(buf,"%f", *var->val.doubleVal);
+ snprintf(buf, buf_len, "%f", *var->val.doubleVal);
break;
#endif
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
c0394d3068b44395994f031447c8052d
>
files
>
37
