diff -urNp a/snmplib/snmp_api.c b/snmplib/snmp_api.c --- a/snmplib/snmp_api.c 2020-09-29 14:08:09.821479662 +0200 +++ b/snmplib/snmp_api.c 2020-10-01 10:15:46.607374362 +0200 @@ -769,7 +769,7 @@ snmp_sess_init(netsnmp_session * session session->retries = SNMP_DEFAULT_RETRIES; session->version = SNMP_DEFAULT_VERSION; session->securityModel = SNMP_DEFAULT_SECMODEL; - session->rcvMsgMaxSize = SNMP_MAX_MSG_SIZE; + session->rcvMsgMaxSize = netsnmp_max_send_msg_size(); session->sndMsgMaxSize = netsnmp_max_send_msg_size(); session->flags |= SNMP_FLAGS_DONT_PROBE; } @@ -2731,7 +2731,7 @@ snmpv3_packet_build(netsnmp_session * se /* * build a scopedPDU structure into spdu_buf */ - spdu_buf_len = SNMP_MAX_MSG_SIZE; + spdu_buf_len = sizeof(spdu_buf); DEBUGDUMPSECTION("send", "ScopedPdu"); cp = snmpv3_scopedPDU_header_build(pdu, spdu_buf, &spdu_buf_len, &spdu_hdr_e); @@ -2743,6 +2743,11 @@ snmpv3_packet_build(netsnmp_session * se */ DEBUGPRINTPDUTYPE("send", ((pdu_data) ? *pdu_data : 0x00)); if (pdu_data) { + if (cp + pdu_data_len > spdu_buf + sizeof(spdu_buf)) { + snmp_log(LOG_ERR, "%s: PDU too big (%" NETSNMP_PRIz "d > %" NETSNMP_PRIz "d)\n", + __func__, pdu_data_len, sizeof(spdu_buf)); + return -1; + } memcpy(cp, pdu_data, pdu_data_len); cp += pdu_data_len; } else { @@ -2756,7 +2761,7 @@ snmpv3_packet_build(netsnmp_session * se * re-encode the actual ASN.1 length of the scopedPdu */ spdu_len = cp - spdu_hdr_e; /* length of scopedPdu minus ASN.1 headers */ - spdu_buf_len = SNMP_MAX_MSG_SIZE; + spdu_buf_len = sizeof(spdu_buf); if (asn_build_sequence(spdu_buf, &spdu_buf_len, (u_char) (ASN_SEQUENCE | ASN_CONSTRUCTOR), spdu_len) == NULL) @@ -2769,7 +2774,7 @@ snmpv3_packet_build(netsnmp_session * se * message - the entire message to transmitted on the wire is returned */ cp = NULL; - *out_length = SNMP_MAX_MSG_SIZE; + *out_length = sizeof(spdu_buf); DEBUGDUMPSECTION("send", "SM msgSecurityParameters"); sptr = find_sec_mod(pdu->securityModel); if (sptr && sptr->encode_forward) {