SNMP: Improve parsing of malformed ASN.1 object identifiers (#2185)

ASN.1 object identifiers are length-delimited, not null-terminated. If
the input encoding omits a terminating byte (MSB clear), then the parser
would walk past the buffer.

Also simplified expressions related to sub-identifier parsing.

diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c
index 2852c26b220f8e27084a969f4d8f55e3bb0c8d95..022a8717931f95c0d37a2e8b26506008ddbda21d 100644 (file)
--- a/lib/snmplib/asn1.c
+++ b/lib/snmplib/asn1.c
@@ -675,11 +675,15 @@ asn_parse_objid(u_char * data, int *datalength,
     while (length > 0 && (*objidlength)-- > 0) {
         subidentifier = 0;
 
-        do {            /* shift and add in low order 7 bits */
+        do {
+            if (length-- <= 0) {
+                snmp_set_api_error(SNMPERR_ASN_DECODE);
+                return (NULL);
+            }
+            // shift and add in low order 7 bits
             subidentifier = (subidentifier << 7)
-                            + (*(u_char *) bufp & ~ASN_BIT8);
-            length--;
-        } while (*(u_char *) bufp++ & ASN_BIT8);
+                            | (*bufp & ~ASN_BIT8);
+        } while (*bufp++ & ASN_BIT8);
 
         /* while last byte has high bit clear */
         if (subidentifier > (u_int) MAX_SUBID) {