Blocker In src/libs/zbxsysinfo/linux/software.c there is a function
static int dpkg_parser(const char *line, char *package, size_t max_package_len)
{
char fmt[32], tmp[32];
zbx_snprintf(fmt, sizeof(fmt), "%%" ZBX_FS_SIZE_T "s %%" ZBX_FS_SIZE_T "s",
(zbx_fs_size_t)max_package_len, (zbx_fs_size_t)sizeof(tmp));
if (2 != sscanf(line, fmt, package, tmp) || 0 != strcmp(tmp, "install"))
return FAIL;
...
A call to zbx_snprintf() produces a format line fmt="%2048s %32s", which is passed to sscanf(). Should a 2048-character string come to sscanf(), it would write terminating '\0' as 2049-th byte. Same with "tmp" of size 32.
Patch is attached.
Buffer overflow in Zabbix agent
-
Unassigned
-
Andris Mednis
- Votes:
-
0 Vote for this issue
- Watchers:
-
0 Start watching this issue
- Created:
- Updated:
- Resolved: