On Mon, 2023-08-21 at 07:35 +0000, Gerhard Roth wrote: > Hi Martijn, > > last November you fixed ber.c so that sequences won't generate > an uninitialized subelement. > > This revealed another bug in ober_scanf_elements(): it couldn't > process sequences with an empty list of subelements. The following > code failed in ober_scanf_elements(): > > struct ber_element *root; > struct ber_element *sub; > > if ((root = ober_add_sequence(NULL)) == NULL) > err(1, "ober_add_sequence() failed"); > > errno = 0; > if (ober_scanf_elements(root, "{e", &sub)) > err(1, "ober_scanf_elements() failed"); > > printf("sub = %p\n", sub); > > > The patch below fixes that. > > Gerhard > > > Index: lib/libutil/ber.c > =================================================================== > RCS file: /cvs/src/lib/libutil/ber.c,v > retrieving revision 1.24 > diff -u -p -u -p -r1.24 ber.c > --- lib/libutil/ber.c 3 Nov 2022 17:58:10 -0000 1.24 > +++ lib/libutil/ber.c 21 Aug 2023 07:24:21 -0000 > @@ -700,7 +700,8 @@ ober_scanf_elements(struct ber_element * > > va_start(ap, fmt); > while (*fmt) { > - if (ber == NULL && *fmt != '$' && *fmt != '}' && *fmt != ')') > + if (ber == NULL && *fmt != '$' && *fmt != '}' && *fmt != ')' && > + *fmt != 'e') > goto fail;
I'm not sure about this part. An ober_scanf_elements of "{}e" on your example above also fails. The 'e' element might not increment the ber pointer, but I do think it should fail if an expected element is missing. > switch (*fmt++) { > case '$': > @@ -797,7 +798,7 @@ ober_scanf_elements(struct ber_element * > if (ber->be_encoding != BER_TYPE_SEQUENCE && > ber->be_encoding != BER_TYPE_SET) > goto fail; > - if (ber->be_sub == NULL || level >= _MAX_SEQ-1) > + if (level >= _MAX_SEQ-1) This part is OK martijn@ > goto fail; > parent[++level] = ber; > ber = ber->be_sub; >