> Currently ax.c doesn't check the maximum length of an OID ax_pdutooid. > This can lead to a buffer overflow. Even though it must be fixed, I > don't think there's a big risk here, since an attacker would need to have > access to the agentx socket, which by default is disabled and defaults > to root:_agentx when enabled.
Here's the libagentx counterpart. OK? martijn@ Index: ax.c =================================================================== RCS file: /cvs/src/lib/libagentx/ax.c,v retrieving revision 1.8 diff -u -p -r1.8 ax.c --- ax.c 24 Oct 2021 17:43:38 -0000 1.8 +++ ax.c 9 Oct 2023 20:14:13 -0000 @@ -1262,6 +1262,8 @@ ax_pdutooid(struct ax_pdu_header *header } buf++; oid->aoi_include = *buf; + if (oid->aoi_idlen > AX_OID_MAX_LEN) + goto fail; for (buf += 2; i < oid->aoi_idlen; i++, buf += 4) oid->aoi_id[i] = ax_pdutoh32(header, buf);