Module selfmon.c, Function selfmonResponse

[GoogleCodeExporter]

Function selfmonResponse builds a message string to send.  It uses strncat 
multiple times in a potentially vulnerable fashion. Example:
strncat(out, AE_PROTCOL_VER, strlen(AE_PROTCOL_VER));
Rather than calculating the defined max length of the AE_PROTOCOL field, it 
reads the existing length of the field.  If malicious or misbehaved code has 
modified the field since its creation, this could allow the potential for 
malformed messages. This needs to be handled for each field of the message.
In addition, this function never checks to ensure the max length is less than 
or equal to the defined maximum of 1204

Original issue reported on code.google.com by prhamm...@gmail.com on 24 Nov 2012 at 7:59

[GoogleCodeExporter]

This is not a vulnerability.  strncat, as the last parameter, tells the maximum 
number of characters (n+1) chars can be copied to destination buffer.  But in 
our case, AE_PROTCOL_VER, is defined to be 2 character string.
Hence it is not a bug,
ravi.

Original comment by ravt...@gmail.com on 25 Nov 2012 at 7:10

• Changed state: Fixed

[GoogleCodeExporter]

Original comment by toddd...@gmail.com on 4 Dec 2012 at 12:39

• Changed state: Invalid