REDHAT-BUG-469349: Buffer Overflow
First published: Fri Oct 31 2008(Updated: )
Oscar Mira-Sanchez reported (via TippingPoint/ZDI) to Net-SNMP upstream an integer overflow in the numresponses calculation in snmp_agent.c. Size of memory requirement for bulkcache array is calculated based on the values form an SNMP request without properly checking for integer overflows, resulting in an insufficient memory allocation and heap-based buffer overflow. agent/snmp_agent.c: numresponses = asp->pdu->errindex * r; [ ... ] asp->bulkcache = (netsnmp_variable_list **) malloc(numresponses * sizeof(struct varbind_list *)); Issue can be triggered by an SNMP get request.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Net-SNMP |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17272
- http://sourceforge.net/forum/forum.php?forum_id=882903
- http://admin.fedoraproject.org/updates/net-snmp-5.4.1-8.fc8
- http://admin.fedoraproject.org/updates/net-snmp-5.4.1-19.fc9
- http://rhn.redhat.com/errata/RHSA-2008-0971.html
- https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9362
- https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9367
- http://admin.fedoraproject.org/updates/net-snmp-5.4.2.1-1.fc10
- https://bugzilla.redhat.com/show_bug.cgi?id=469349
- collector/redhat-bugzilla
- alias/CVE-2008-4309
- agent/weakness
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/severity
- agent/description
- agent/softwarecombine
- agent/tags
- agent/references
- agent/event
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/net-snmp
- canonical/net-snmp