Fix stack-based buffer-overflow when parsing SNMP messages (#319)

Fortunately, this off-by-one bug seems to have no runtime effect.

diff --git a/lib/snmplib/snmp_msg.c b/lib/snmplib/snmp_msg.c
index 00166ab110e5ace94d94e391b1dd656f2d0bb61c..26f3f91088a2102dd5ce6ce9af84015fb2167307 100644 (file)
--- a/lib/snmplib/snmp_msg.c
+++ b/lib/snmplib/snmp_msg.c
@@ -272,12 +272,16 @@ snmp_msg_Decode(u_char * Packet, int *PacketLenP,
         snmplib_debug(4, "snmp_msg_Decode:Error decoding SNMP Message Header (Version)!\n");
         ASN_PARSE_ERROR(NULL);
     }
+    int terminatorPos = *CommLenP - 1;
     bufp = asn_parse_string(bufp, PacketLenP, &type, Community, CommLenP);
     if (bufp == NULL) {
         snmplib_debug(4, "snmp_msg_Decode:Error decoding SNMP Message Header (Community)!\n");
         ASN_PARSE_ERROR(NULL);
     }
-    Community[*CommLenP] = '\0';
+    if (*CommLenP < terminatorPos) {
+        terminatorPos = *CommLenP;
+    }
+    Community[terminatorPos] = '\0';
 
     if ((*Version != SNMP_VERSION_1) &&
             (*Version != SNMP_VERSION_2)) {

diff --git a/lib/snmplib/snmp_vars.c b/lib/snmplib/snmp_vars.c
index 75fb224f6f58c414c70bd6e2183dc27c3d54c344..3c828f2976687f9d16605c77f27524695556510d 100644 (file)
--- a/lib/snmplib/snmp_vars.c
+++ b/lib/snmplib/snmp_vars.c
@@ -511,9 +511,14 @@ snmp_var_DecodeVarBind(u_char * Buffer, int *BufLen,
                 snmp_set_api_error(SNMPERR_OS_ERR);
                 PARSE_ERROR;
             }
+            int terminatorPos = Var->val_len - 1;
             bufp = asn_parse_string(DataPtr, &ThisVarLen,
                                     &Var->type, Var->val.string,
                                     &Var->val_len);
+            if (Var->val_len < terminatorPos) {
+                terminatorPos = Var->val_len;
+            }
+            Var->val.string[terminatorPos] = '\0';
 #if DEBUG_VARS_DECODE
             printf("VARS: Decoded string '%s' (length %d) (%d bytes left)\n",
                    (Var->val.string), Var->val_len, ThisVarLen);