Oscar Mira-Sanchez reported (via TippingPoint/ZDI) to Net-SNMP upstream an integer overflow in the numresponses calculation in snmp_agent.c. Size of memory requirement for bulkcache array is calculated based on the values form an SNMP request without properly checking for integer overflows, resulting in an insufficient memory allocation and heap-based buffer overflow. agent/snmp_agent.c: numresponses = asp->pdu->errindex * r; [ ... ] asp->bulkcache = (netsnmp_variable_list **) malloc(numresponses * sizeof(struct varbind_list *)); Issue can be triggered by an SNMP get request.
Upstream SVN commit: http://net-snmp.svn.sourceforge.net/viewvc/net-snmp?view=rev&revision=17272
This is going to be RHSA-2008:0971
This is public: http://sourceforge.net/forum/forum.php?forum_id=882903
net-snmp-5.4.1-8.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/net-snmp-5.4.1-8.fc8
net-snmp-5.4.1-19.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/net-snmp-5.4.1-19.fc9
net-snmp-5.4.1-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
net-snmp-5.4.1-19.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0971.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-9362 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-9367
net-snmp-5.4.2.1-1.fc10 did not make it to F10 before release and will need to be submitted as an update via bodhi.
net-snmp-5.4.2.1-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/net-snmp-5.4.2.1-1.fc10
net-snmp-5.4.2.1-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.