Date: Sat, 14 May 2016 21:32:53 +0000 (UTC) From: Garrett Cooper <ngie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r299765 - head/usr.sbin/bsnmpd/tools/libbsnmptools Message-ID: <201605142132.u4ELWr3V049592@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ngie Date: Sat May 14 21:32:52 2016 New Revision: 299765 URL: https://svnweb.freebsd.org/changeset/base/299765 Log: Fix theoretical buffer overflow issues in snmp_oid2asn_oid Increase the size of `string` by 1 to account for the '\0' terminator. In the event that `str` doesn't contain any non-alpha chars, i would be set to MAXSTR, and the subsequent strlcpy call would overflow by a character. Remove unnecessary `string[i] = '\0'` -- this is already handled by strlcpy. MFC after: 1 week Reported by: clang Sponsored by: EMC / Isilon Storage Division Modified: head/usr.sbin/bsnmpd/tools/libbsnmptools/bsnmptools.c Modified: head/usr.sbin/bsnmpd/tools/libbsnmptools/bsnmptools.c ============================================================================== --- head/usr.sbin/bsnmpd/tools/libbsnmptools/bsnmptools.c Sat May 14 21:27:33 2016 (r299764) +++ head/usr.sbin/bsnmpd/tools/libbsnmptools/bsnmptools.c Sat May 14 21:32:52 2016 (r299765) @@ -1060,7 +1060,7 @@ snmp_oid2asn_oid(struct snmp_toolinfo *s struct asn_oid *oid) { int32_t i; - char string[MAXSTR], *endptr; + char string[MAXSTR + 1], *endptr; struct snmp_object obj; for (i = 0; i < MAXSTR; i++) @@ -1076,7 +1076,6 @@ snmp_oid2asn_oid(struct snmp_toolinfo *s return (NULL); } else { strlcpy(string, str, i + 1); - string[i] = '\0'; if (snmp_lookup_enumoid(snmptoolctx, &obj, string) < 0) { warnx("Unknown string - %s", string); return (NULL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605142132.u4ELWr3V049592>