snmpctl segfault

[Martijn van Duren]

When experimenting with snmpd I found the following crash:
$ snmpctl snmp walk 127.0.0.1 oid 1                           
Segmentation fault (core dumped)

The problem is a NULL dereference in ber_free_elements:
#0  0x00000370920d24ca in ber_free_elements (root=0x0) at 
/usr/src/usr.sbin/snmpctl/../snmpd/ber.c:897
#1  0x00000370920d4386 in ber_printf_elements (ber=0x0, fmt=0x370920c79b9 
"0}}") at /usr/src/usr.sbin/snmpctl/../snmpd/ber.c:645
#2  0x00000370920dbd0d in snmpc_sendreq (sc=0x7f7ffffbdcf0, type=1) at 
/usr/src/usr.sbin/snmpctl/snmpclient.c:413
#3  0x00000370920dba93 in snmpc_request (sc=0x7f7ffffbdcf0, type=1) at 
/usr/src/usr.sbin/snmpctl/snmpclient.c:217
#4  0x00000370920dba38 in snmpc_run (sc=0x7f7ffffbdcf0, action=WALK, 
oid=0x373171110e0 "1") at /usr/src/usr.sbin/snmpctl/snmpclient.c:207
#5  0x00000370920db891 in snmpclient (res=0x3709211f4e8) at 
/usr/src/usr.sbin/snmpctl/snmpclient.c:175
#6  0x00000370920dc8b4 in main (argc=5, argv=0x7f7ffffbe1a0) at 
/usr/src/usr.sbin/snmpctl/snmpctl.c:133

A simple NULL-check fixes the issue, but since I'm new to BER and snmp  
I'm not sure if this is the right approach or whether there's a logic-
fault somewhere else.

$ ./snmpctl snmp walk 127.0.0.1 oid 1
snmpctl: request failed: Invalid argument

martijn@

Index: ber.c
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/ber.c,v
retrieving revision 1.48
diff -u -p -r1.48 ber.c
--- ber.c       12 Aug 2018 22:04:09 -0000      1.48
+++ ber.c       1 Nov 2018 10:56:47 -0000
@@ -894,6 +894,8 @@ ber_free_element(struct ber_element *roo
 void
 ber_free_elements(struct ber_element *root)
 {
+       if (root == NULL)
+               return;
        if (root->be_sub && (root->be_encoding == BER_TYPE_SEQUENCE ||
            root->be_encoding == BER_TYPE_SET))
                ber_free_elements(root->be_sub);