[AGENT++] "salt" variable in snmp++ v.3.2.19 and segfault

[Jacek Poplawski]

Hello.

We are using snmp++ library in our project.

Today we are performing vulnerability, our project segfaulted.
The reason was line 1240 of auth_priv.cpp in snmp++ v3.2.19:

 pp_uint64     my_salt = *salt++;

This instruction just increases pointer!

What exactly is "salt" variable?
It is declared as:

pp_uint64 *salt;

So one could expect that this is some pointer to an array. However, I 
can't find place where this value is initiatelized.
I found (unused) code where this value is just randomized!

unsigned int *rnd = (unsigned int*)&salt;
*rnd = rand() << 1;

If I understand this correctly, pointer is casted to unsigned int, and 
then randomized.

And even _if_ salt is somehow initialized correctly, there is no end of 
loop. Because *salt++ will just read whole memory!

Am I wrong?

How should "salt" work and where is mechanism to avoid reading whole 
memory in line 1240 of auth_priv.cpp?





The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications at s3group.com.
Thank You.