On Fri, Mar 22, 2002 at 07:40:57AM -0600, Frank Singleton wrote: > Do I have an old SNMP lib ?
If your SNMP library isn't 4.2.2 or later, yes, you do have an old SNMP library. The old SNMP library does not have APIs that would allow programs using it to format OIDs and variable bindings to be safe from buffer overflows; they only have routines that format into a caller-supplied buffer and that do *no* bounds checking. (Furthermore, even *current* versions of the library use an internal buffer for one of those routines, and do no bounds checking on that buffer. It turns out it's not necessary to use that buffer; the current CVS code includes changes to make it not do so, but there's no release with those changes yet - it'll presumably show up in the final 4.2.4 release when it comes out.) > I think the last nightly tarball I did compile successfully on my > box was ethereal-2002-02-08 . > > So perhaps something has changed between these 2 dates ? Yes, something changed - the SNMP code changed to to use the new APIs rather than the old unsafe ones.
