> Currently ax.c doesn't check the maximum length of an OID ax_pdutooid.
> This can lead to a buffer overflow. Even though it must be fixed, I
> don't think there's a big risk here, since an attacker would need to have
> access to the agentx socket, which by default is disabled and defaults
> to root:_agentx when enabled.
Here's the libagentx counterpart.
OK?
martijn@
Index: ax.c
===================================================================
RCS file: /cvs/src/lib/libagentx/ax.c,v
retrieving revision 1.8
diff -u -p -r1.8 ax.c
--- ax.c 24 Oct 2021 17:43:38 -0000 1.8
+++ ax.c 9 Oct 2023 20:14:13 -0000
@@ -1262,6 +1262,8 @@ ax_pdutooid(struct ax_pdu_header *header
}
buf++;
oid->aoi_include = *buf;
+ if (oid->aoi_idlen > AX_OID_MAX_LEN)
+ goto fail;
for (buf += 2; i < oid->aoi_idlen; i++, buf += 4)
oid->aoi_id[i] = ax_pdutoh32(header, buf);
