Re: ober_scanf_elements() and empty sequences

Tue, 22 Aug 2023 03:17:00 -0700 

On Mon, 2023-08-21 at 07:35 +0000, Gerhard Roth wrote:
> Hi Martijn,
> 
> last November you fixed ber.c so that sequences won't generate
> an uninitialized subelement.
> 
> This revealed another bug in ober_scanf_elements(): it couldn't
> process sequences with an empty list of subelements. The following
> code failed in ober_scanf_elements():
> 
>       struct ber_element      *root;
>       struct ber_element      *sub;
> 
>       if ((root = ober_add_sequence(NULL)) == NULL)
>               err(1, "ober_add_sequence() failed");
> 
>       errno = 0;
>       if (ober_scanf_elements(root, "{e", &sub))
>               err(1, "ober_scanf_elements() failed");
> 
>       printf("sub = %p\n", sub);
> 
> 
> The patch below fixes that.
> 
> Gerhard
> 
> 
> Index: lib/libutil/ber.c
> ===================================================================
> RCS file: /cvs/src/lib/libutil/ber.c,v
> retrieving revision 1.24
> diff -u -p -u -p -r1.24 ber.c
> --- lib/libutil/ber.c 3 Nov 2022 17:58:10 -0000       1.24
> +++ lib/libutil/ber.c 21 Aug 2023 07:24:21 -0000
> @@ -700,7 +700,8 @@ ober_scanf_elements(struct ber_element *
>  
>       va_start(ap, fmt);
>       while (*fmt) {
> -             if (ber == NULL && *fmt != '$' && *fmt != '}' && *fmt != ')')
> +             if (ber == NULL && *fmt != '$' && *fmt != '}' && *fmt != ')' &&
> +                 *fmt != 'e')
>                       goto fail;

I'm not sure about this part. An ober_scanf_elements of "{}e" on your
example above also fails. The 'e' element might not increment the ber
pointer, but I do think it should fail if an expected element is
missing.

>               switch (*fmt++) {
>               case '$':
> @@ -797,7 +798,7 @@ ober_scanf_elements(struct ber_element *
>                       if (ber->be_encoding != BER_TYPE_SEQUENCE &&
>                           ber->be_encoding != BER_TYPE_SET)
>                               goto fail;
> -                     if (ber->be_sub == NULL || level >= _MAX_SEQ-1)
> +                     if (level >= _MAX_SEQ-1)

This part is OK martijn@

>                               goto fail;
>                       parent[++level] = ber;
>                       ber = ber->be_sub;
>

Reply via email to