On Tue, Aug 13, 2019 at 03:27:17PM +0200, Martijn van Duren wrote:
> I managed to make snmp(1) crash, when I sent a malformed snmp packet.
> Specifically when I have a varbind with an oid, but no value.
>
> I test for this case via ber_scanf_elements("{oS}", which presumably
> would crap out if my skip doesn't have an element. Unfortunately reality
> is that the be_next is skipped and we try again with the same value.
>
> This can give us extremely weird results if we scan for two consecutive
> elements of the same type (e.g. "ss") where the second element is
> non-existent. This would result in the second element having the data
> of the first element.
>
> Diff below fixes this.
>
> OK?
If the various regress tests still work with this then OK claudio@
It for sure makes sense but I wouldn't be surprised if there is code
that expects this weird behaviour.
> martijn@
>
> Index: ber.c
> ===================================================================
> RCS file: /cvs/src/lib/libutil/ber.c,v
> retrieving revision 1.11
> diff -u -p -r1.11 ber.c
> --- ber.c 5 Aug 2019 12:38:14 -0000 1.11
> +++ ber.c 13 Aug 2019 13:26:09 -0000
> @@ -684,6 +684,8 @@ ber_scanf_elements(struct ber_element *b
>
> va_start(ap, fmt);
> while (*fmt) {
> + if (ber == NULL)
> + goto fail;
> switch (*fmt++) {
> case 'B':
> ptr = va_arg(ap, void **);
> @@ -788,8 +790,6 @@ ber_scanf_elements(struct ber_element *b
> goto fail;
> }
>
> - if (ber->be_next == NULL)
> - continue;
> ber = ber->be_next;
> }
> va_end(ap);
>
--
:wq Claudio
