Ethereal-dev: Re: [Ethereal-dev] error: UCD SNMP

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <guy@xxxxxxxxxx>
Date: Fri, 22 Mar 2002 12:09:51 -0800
On Fri, Mar 22, 2002 at 07:40:57AM -0600, Frank Singleton wrote:
> Do I have an old SNMP lib ?

If your SNMP library isn't 4.2.2 or later, yes, you do have an old SNMP
library.

The old SNMP library does not have APIs that would allow programs using
it to format OIDs and variable bindings to be safe from buffer
overflows; they only have routines that format into a caller-supplied
buffer and that do *no* bounds checking.

(Furthermore, even *current* versions of the library use an internal
buffer for one of those routines, and do no bounds checking on that
buffer.  It turns out it's not necessary to use that buffer; the current
CVS code includes changes to make it not do so, but there's no release
with those changes yet - it'll presumably show up in the final 4.2.4
release when it comes out.)

> I think the last nightly tarball I did compile successfully on my
> box was ethereal-2002-02-08 .
> 
> So perhaps something has changed between these 2 dates ?

Yes, something changed - the SNMP code changed to to use the new APIs
rather than the old unsafe ones.