Details

    • Type: Incident report
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0.7rc1, 2.1.0
    • Fix Version/s: 2.0.7rc1, 2.1.0
    • Component/s: Agent (G)
    • Labels:
      None
    • Environment:
      GNU/Linux with dpkg package manager

      Description

      In src/libs/zbxsysinfo/linux/software.c there is a function
      static int dpkg_parser(const char *line, char *package, size_t max_package_len)
      {
      char fmt[32], tmp[32];
      zbx_snprintf(fmt, sizeof(fmt), "%%" ZBX_FS_SIZE_T "s %%" ZBX_FS_SIZE_T "s",
      (zbx_fs_size_t)max_package_len, (zbx_fs_size_t)sizeof(tmp));
      if (2 != sscanf(line, fmt, package, tmp) || 0 != strcmp(tmp, "install"))
      return FAIL;
      ...
      A call to zbx_snprintf() produces a format line fmt="%2048s %32s", which is passed to sscanf(). Should a 2048-character string come to sscanf(), it would write terminating '\0' as 2049-th byte. Same with "tmp" of size 32.
      Patch is attached.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              andris Andris Mednis
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: