'[ net-snmp-Bugs-1826174 ] snmp_get limits ASN1 OCTETSTRING length'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       net-snmp-bugs
Subject:    [ net-snmp-Bugs-1826174 ] snmp_get limits ASN1 OCTETSTRING length
From:       "SourceForge.net" <noreply () sourceforge ! net>
Date:       2008-09-04 23:07:45
Message-ID: E1KbNvV-0003Dw-GY () h45xhf1 ! ch3 ! sourceforge ! com
[Download RAW message or body]

Bugs item #1826174, was opened at 2007-11-05 17:26
Message generated for change (Comment added) made by tanders
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=112694&aid=1826174&group_id=12694

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: perl
Group: None
Status: Closed
Resolution: Fixed
Priority: 6
Private: No
Submitted By: John Kortink (mBalance) (john_kortink_mb)
Assigned to: Dave Shield (dts12)
Summary: snmp_get limits ASN1 OCTETSTRING length [CVE-2008-2292]

Initial Comment:
Location : perl/SNMP/SNMP.xs.

snmp_get crashes on AVPs with (e.g.) an OCTETSTRING bigger than roughly 4096 (5.4.1, \
5.2.4) or 2048 (5.1.4) bytes, which is a highly arbitrary limitation, looking at the \
source code and how the buffer size is determined. It should handle at least up to 64 \
K, really (max. UDP packet payload size), or malloc() properly.


John Kortink


----------------------------------------------------------------------

> Comment By: Thomas Anders (tanders)
Date: 2008-09-05 01:07

Message:
Logged In: YES 
user_id=848638
Originator: NO

The r16962 python fix had a problem which has been fixed in r17207.

----------------------------------------------------------------------

Comment By: Thomas Anders (tanders)
Date: 2008-05-25 02:13

Message:
Logged In: YES 
user_id=848638
Originator: NO

There's a similar problem with the Python interface which has been fixed
in SVN Rev. 16962.
The fix will be in 5.4.2.pre2, 5.5 and later.



----------------------------------------------------------------------

Comment By: Thomas Anders (tanders)
Date: 2008-05-22 00:53

Message:
Logged In: YES 
user_id=848638
Originator: NO

CVE-2008-2292 has been assigned for this bug. See
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2292 .

----------------------------------------------------------------------

Comment By: Dave Shield (dts12)
Date: 2007-12-22 20:23

Message:
Logged In: YES 
user_id=88893
Originator: NO

Thanks for the bug report!
We've fixed the problem in the 5.2.x, 5.3.x
and 5.4.x code branches and the main development
tree, so it should be fixed in future releases
of the Net-SNMP package.

----------------------------------------------------------------------

Comment By: Dave Shield (dts12)
Date: 2007-12-22 20:23

Message:
Logged In: YES 
user_id=88893
Originator: NO

SVN Revision 16770

----------------------------------------------------------------------

Comment By: John Kortink (mBalance) (john_kortink_mb)
Date: 2007-11-19 11:30

Message:
Logged In: YES 
user_id=1682342
Originator: YES

E.g. for 5.2.4, perl/SNMP/SNMP.xs line 3339.

Although __snprint_value is passed the buffer's size, for some reason it
then disregards it by blindly memcpy-ing an ASN_OCTET_STR into it : kaboom.
It seems rather pointless to copy the value into an intermediate buffer
anyway, since it's copied verbatim.

It's in all versions, including 5.4.1.


----------------------------------------------------------------------

Comment By: Dave Shield (dts12)
Date: 2007-11-16 22:21

Message:
Logged In: YES 
user_id=88893
Originator: NO

Could you possibly pinpoint exactly where this limit
is applied in the perl code?  I've had a quick look
at the code, and can't immediately see where the value
is handled.
  I'm sure we could find it eventually, but if you
can point us in the right direction, this problem is
more likely to get addressed relatively promptly.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=112694&aid=1826174&group_id=12694

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Net-snmp-bugs mailing list
Net-snmp-bugs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/net-snmp-bugs


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic