ping
On 10/3/19 6:35 PM, Martijn van Duren wrote:
> So looking closer at Claudio's remark from this morning I found that 'e'
> basically *must* be the last element in the sequence (or weird *beep*
> happens). Also, 'e' never fails, since ber_link_elements doesn't have a
> fail-case. So combining this information, if we end a
> ber_printf_elements on 'e' and we fail we must free the pointer
> ourselves.
>
> OK?
>
> martijn@
>
> Index: snmp.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/snmp/snmp.c,v
> retrieving revision 1.7
> diff -u -p -r1.7 snmp.c
> --- snmp.c 3 Oct 2019 11:02:26 -0000 1.7
> +++ snmp.c 3 Oct 2019 16:32:23 -0000
> @@ -252,15 +252,17 @@ fail:
> struct ber_element *
> snmp_set(struct snmp_agent *agent, struct ber_element *vblist)
> {
> - struct ber_element *pdu;
> + struct ber_element *pdu, *varbind;
>
> if ((pdu = ber_add_sequence(NULL)) == NULL)
> return NULL;
> - if (ber_printf_elements(pdu, "tddd{e", BER_CLASS_CONTEXT,
> - SNMP_C_SETREQ, arc4random() & 0x7fffffff, 0, 0, vblist) == NULL) {
> + if ((varbind = ber_printf_elements(pdu, "tddd{", BER_CLASS_CONTEXT,
> + SNMP_C_SETREQ, arc4random() & 0x7fffffff, 0, 0, vblist)) == NULL) {
> ber_free_elements(pdu);
> + ber_free_elements(vblist);
> return NULL;
> }
> + ber_link_elements(varbind, vblist);
>
> return snmp_resolve(agent, pdu, 1);
> }
> @@ -428,10 +430,14 @@ snmp_package(struct snmp_agent *agent, s
> if (ber_printf_elements(message, "d{idxd}xe",
> agent->version, msgid, UDP_MAXPACKET, &(agent->v3->level),
> (size_t) 1, agent->v3->sec->model, securityparams,
> - securitysize, scopedpdu) == NULL)
> + securitysize, scopedpdu) == NULL) {
> + ber_free_elements(scopedpdu);
> goto fail;
> - if (ber_scanf_elements(message, "{SSe", &secparams) == -1)
> + }
> + if (ber_scanf_elements(message, "{SSe", &secparams) == -1) {
> + ber_free_elements(secparams);
> goto fail;
> + }
> ber_set_writecallback(secparams, snmp_v3_secparamsoffset,
> &secparamsoffset);
> break;
>
