[AGENT++] snmp++ buffer overrun
Dave White | Networking
dave.white at efi.com
Wed Feb 10 01:03:44 CET 2010
Hello Frank,
There is a possibility of a buffer overrun and stack corruption in snmp++/src/address.cpp in the function IpAddress::parse_dotted_ipstring() if the string length of the input parameter is exactly 30 bytes. This can happen if the input string is a colon separated IPv6 string. The statement at line #452 (Snmp++v3.2.24) should be changed to prevent overrun of "char temp[30]" in the strcpy() of the next statement (line #454).
current line 452 (Snmp++v3.2.24)
if (!inaddr || (strlen(inaddr) > 30)) return FALSE;
Should be
if (!inaddr || (strlen(inaddr) >= sizeof(temp))) return FALSE;
Problem is that strcpy() will overrun temp[30] by one byte (the '\0') if strlen(inaddr) is exactly 30 causing possible stack corruption.
Best Regards,
Dave
Confidentiality notice: This message may contain confidential information. It is intended only for the person to whom it is addressed. If you are not that person, you should not use this message. We request that you notify us by replying to this message, and then delete all copies including any contained in your reply. Thank you.
More information about the AGENTPP
mailing list