in asn_realloc_rbuild_int,
testvalue must be derived from the truncated value,
not from the original input.
otherwise there is a lot of possible input that can lead
to "while (0 != -1) { realloc }"
-- Lars Ellenberg
CHECK_OVERFLOW_S does for negative values:
... } else if (x < INT32_MIN) {
trunc = 1;
x = 0 - (x & 0xffffffff);
}
which means that for the current code
there is a lot of possible input that
results in integer = 0, testvalue = -1;
even though this patch is against 5.2.3,
the code in 5.4.1 does look the same.
--- net-snmp-5.2.3.orig/snmplib/asn1.c.orig 2008-03-19 14:53:19.317275623
+0000
+++ net-snmp-5.2.3/snmplib/asn1.c 2008-03-19 14:53:25.653694329 +0000
@@ -2735,7 +2735,7 @@
}
CHECK_OVERFLOW_S(integer,10);
- testvalue = (*intp < 0) ? -1 : 0;
+ testvalue = (integer < 0) ? -1 : 0;
if (((*pkt_len - *offset) < 1) && !(r && asn_realloc(pkt, pkt_len))) {
return 0;
--
: Lars Ellenberg Tel +43-1-8178292-55 :
: LINBIT Information Technologies GmbH Fax +43-1-8178292-82 :
: Vivenotgasse 48, A-1120 Vienna/Europe http://www.linbit.com :
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Net-snmp-coders mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/net-snmp-coders
