From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Mon, 8 Sep 2025 11:08:47 +0000 (+0000)
Subject: SNMP: Improve parsing of malformed ASN.1 object identifiers (#2185)
X-Git-Tag: SQUID_7_2~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38c6e2e6e5760dc1b55638d04870f1ebbecddfca;p=thirdparty%2Fsquid.git

SNMP: Improve parsing of malformed ASN.1 object identifiers (#2185)

ASN.1 object identifiers are length-delimited, not null-terminated. If
the input encoding omits a terminating byte (MSB clear), then the parser
would walk past the buffer.

Also simplified expressions related to sub-identifier parsing.
---

diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c
index 2852c26b22..022a871793 100644
--- a/lib/snmplib/asn1.c
+++ b/lib/snmplib/asn1.c
@@ -675,11 +675,15 @@ asn_parse_objid(u_char * data, int *datalength,
     while (length > 0 && (*objidlength)-- > 0) {
         subidentifier = 0;
 
-        do {            /* shift and add in low order 7 bits */
+        do {
+            if (length-- <= 0) {
+                snmp_set_api_error(SNMPERR_ASN_DECODE);
+                return (NULL);
+            }
+            // shift and add in low order 7 bits
             subidentifier = (subidentifier << 7)
-                            + (*(u_char *) bufp & ~ASN_BIT8);
-            length--;
-        } while (*(u_char *) bufp++ & ASN_BIT8);
+                            | (*bufp & ~ASN_BIT8);
+        } while (*bufp++ & ASN_BIT8);
 
         /* while last byte has high bit clear */
         if (subidentifier > (u_int) MAX_SUBID) {