From: flozilla Date: Tue, 19 Feb 2019 12:41:00 +0000 (+0000) Subject: Fix stack-based buffer-overflow when parsing SNMP messages (#319) X-Git-Tag: M-staged-PR319 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e008097c6636bfdca3b3ca7dd63411c2b4da4e53;p=thirdparty%2Fsquid.git Fix stack-based buffer-overflow when parsing SNMP messages (#319) Fortunately, this off-by-one bug seems to have no runtime effect. --- diff --git a/lib/snmplib/snmp_msg.c b/lib/snmplib/snmp_msg.c index 00166ab110..26f3f91088 100644 --- a/lib/snmplib/snmp_msg.c +++ b/lib/snmplib/snmp_msg.c @@ -272,12 +272,16 @@ snmp_msg_Decode(u_char * Packet, int *PacketLenP, snmplib_debug(4, "snmp_msg_Decode:Error decoding SNMP Message Header (Version)!\n"); ASN_PARSE_ERROR(NULL); } + int terminatorPos = *CommLenP - 1; bufp = asn_parse_string(bufp, PacketLenP, &type, Community, CommLenP); if (bufp == NULL) { snmplib_debug(4, "snmp_msg_Decode:Error decoding SNMP Message Header (Community)!\n"); ASN_PARSE_ERROR(NULL); } - Community[*CommLenP] = '\0'; + if (*CommLenP < terminatorPos) { + terminatorPos = *CommLenP; + } + Community[terminatorPos] = '\0'; if ((*Version != SNMP_VERSION_1) && (*Version != SNMP_VERSION_2)) { diff --git a/lib/snmplib/snmp_vars.c b/lib/snmplib/snmp_vars.c index 75fb224f6f..3c828f2976 100644 --- a/lib/snmplib/snmp_vars.c +++ b/lib/snmplib/snmp_vars.c @@ -511,9 +511,14 @@ snmp_var_DecodeVarBind(u_char * Buffer, int *BufLen, snmp_set_api_error(SNMPERR_OS_ERR); PARSE_ERROR; } + int terminatorPos = Var->val_len - 1; bufp = asn_parse_string(DataPtr, &ThisVarLen, &Var->type, Var->val.string, &Var->val_len); + if (Var->val_len < terminatorPos) { + terminatorPos = Var->val_len; + } + Var->val.string[terminatorPos] = '\0'; #if DEBUG_VARS_DECODE printf("VARS: Decoded string '%s' (length %d) (%d bytes left)\n", (Var->val.string), Var->val_len, ThisVarLen);