A statically allocated buffer is overwritter in the case that a very long Object Identifier is specified in stringified dotted notation to the smiGetNode function of libsmi.
The smiGetNode function returns a SmiNode struct given the name of a OID as a char * in both either numeric (i.e. "1.3.6.1.2.1.4.17") or human readable format (i.e. "ipForwarding"). This function uses a static array of 128 elements of type unsigned int to hold the OID in numeric format:
...
SmiSubid oid[128];
...
Note that SmiSubid is a typedef of unsigned int.
This array is populated by a loop that calls strtok and then subsecuently strtoul in the case that the OID supplied as a char * was in the form of subsecuent numbers separated by a period.
...
if (isdigit((int)node2[0])) {
for (oidlen = 0, p = strtok(node2, ". "); p;
oidlen++, p = strtok(NULL, ". ")) {
oid[oidlen] = strtoul(p, NULL, 0);
}
}
...
That loop clearly overwrites past oid boundaries when the string contained in node2 has more that 128 dots ("."). This constitutes a classical overflow that can likely be leveraged into arbitrary code execution reliably.
To verify if the version on libsmi installed on a unix based system is vulnerable, the code example (smisubtree) from man libsmi can be used. This programs calls smiGetNode in the following way in line 17:
Disclosure Timeline:
2010-09-06: Vincent Bernat, the Debian Package Maintainer for libsmi is contacted.
2010-10-20: Advisory CORE-2010-0819 is released.
