[ZBX-6655] Buffer overflow in Zabbix agent Created: 2013 Jun 04  Updated: 2017 May 30  Resolved: 2013 Jun 13

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: Agent (G)
Affects Version/s: 2.0.7rc1, 2.1.0
Fix Version/s: 2.0.7rc1, 2.1.0

Type: Incident report Priority: Blocker
Reporter: Andris Mednis Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

GNU/Linux with dpkg package manager

Attachments: File dpkg_parser.patch    

 Description   

In src/libs/zbxsysinfo/linux/software.c there is a function
static int dpkg_parser(const char *line, char *package, size_t max_package_len)
{
char fmt[32], tmp[32];
zbx_snprintf(fmt, sizeof(fmt), "%%" ZBX_FS_SIZE_T "s %%" ZBX_FS_SIZE_T "s",
(zbx_fs_size_t)max_package_len, (zbx_fs_size_t)sizeof(tmp));
if (2 != sscanf(line, fmt, package, tmp) || 0 != strcmp(tmp, "install"))
return FAIL;
...
A call to zbx_snprintf() produces a format line fmt="%2048s %32s", which is passed to sscanf(). Should a 2048-character string come to sscanf(), it would write terminating '\0' as 2049-th byte. Same with "tmp" of size 32.
Patch is attached.

 Comments   
Comment by Alexander Vladishev [ 2013 Jun 13 ]

Fixed in the development branch svn://svn.zabbix.com/branches/dev/ZBX-6655.

Comment by Alexander Vladishev [ 2013 Jun 13 ]

Successfully tested!

Code formatting should be fixed before merge to the stable branch:

- (zbx_fs_size_t)(max_package_len - 1), (zbx_fs_size_t)(sizeof(tmp) -1));
+ (zbx_fs_size_t)(max_package_len - 1), (zbx_fs_size_t)(sizeof(tmp) - 1));

igorsh RESOLVED in r36352.

sasha CLOSED

Comment by Igors Homjakovs (Inactive) [ 2013 Jul 02 ]

Fixed in versions pre-2.0.7 r36639 and pre-2.1.0 (trunk) r36638.

Generated at Thu Apr 18 22:25:27 EEST 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.