From e5d4ed32a42140ef42055c1c73713590b10a59ab Mon Sep 17 00:00:00 2001
From: Zdenek Dohnal <zdohnal@redhat.com>
Date: Mon, 18 Mar 2024 15:02:30 +0100
Subject: [PATCH] snmp.c: Validate input OID string for
 `_cupsSNMPStringToOID()`

We can accept OID string as input in few cases (mainly via side channel)
and if the crafted OID string is sent, internal function
`asn1_size_oid()` can end up with stack buffer overflow.

The issue happens when one OID node is too large, or OID is invalid
(ending with dots) - we can fix it in `_cupsSNMPStringToOID()` by
checking if the last source character is a dot (invalid OID),
and by limiting integer for OID node to 0xffff.

Fixes #905
---
 cups/snmp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/cups/snmp.c b/cups/snmp.c
index cd80ea5692..3d68a5e424 100644
--- a/cups/snmp.c
+++ b/cups/snmp.c
@@ -485,13 +485,18 @@ _cupsSNMPStringToOID(const char *src,	/* I - OID string */
        *src && dstptr < dstend;
        src ++)
   {
-    if (*src == '.')
+    if (*src == '.' && src[1])
     {
       dstptr ++;
       *dstptr = 0;
     }
     else if (isdigit(*src & 255))
+    {
+      if ((*dstptr * 10 + *src - '0') > 0xffff)
+        break;
+
       *dstptr = *dstptr * 10 + *src - '0';
+    }
     else
       break;
   }
-- 
2.47.2