From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 18 Mar 2024 14:02:30 +0000 (+0100)
Subject: snmp.c: Validate input OID string for `_cupsSNMPStringToOID()`
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F907%2Fhead;p=thirdparty%2Fcups.git

snmp.c: Validate input OID string for `_cupsSNMPStringToOID()`

We can accept OID string as input in few cases (mainly via side channel)
and if the crafted OID string is sent, internal function
`asn1_size_oid()` can end up with stack buffer overflow.

The issue happens when one OID node is too large, or OID is invalid
(ending with dots) - we can fix it in `_cupsSNMPStringToOID()` by
checking if the last source character is a dot (invalid OID),
and by limiting integer for OID node to 0xffff.

Fixes #905
---

diff --git a/cups/snmp.c b/cups/snmp.c
index cd80ea5692..3d68a5e424 100644
--- a/cups/snmp.c
+++ b/cups/snmp.c
@@ -485,13 +485,18 @@ _cupsSNMPStringToOID(const char *src,	/* I - OID string */
        *src && dstptr < dstend;
        src ++)
   {
-    if (*src == '.')
+    if (*src == '.' && src[1])
     {
       dstptr ++;
       *dstptr = 0;
     }
     else if (isdigit(*src & 255))
+    {
+      if ((*dstptr * 10 + *src - '0') > 0xffff)
+        break;
+
       *dstptr = *dstptr * 10 + *src - '0';
+    }
     else
       break;
   }