From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Sat, 30 Aug 2025 06:49:36 +0000 (+0000)
Subject: Fix ASN.1 encoding of long SNMP OIDs (#2149)
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=250a18e0a80694b919972a1836cdfe20f2e1baa0;p=thirdparty%2Fsquid.git

Fix ASN.1 encoding of long SNMP OIDs (#2149)
---

diff --git a/lib/snmplib/asn1.c b/lib/snmplib/asn1.c
index 81f2051fbe..2852c26b22 100644
--- a/lib/snmplib/asn1.c
+++ b/lib/snmplib/asn1.c
@@ -735,6 +735,7 @@ asn_build_objid(u_char * data, int *datalength,
      * lastbyte ::= 0 7bitvalue
      */
     u_char buf[MAX_OID_LEN];
+    u_char *bufEnd = buf + sizeof(buf);
     u_char *bp = buf;
     oid *op = objid;
     int asnlength;
@@ -753,6 +754,10 @@ asn_build_objid(u_char * data, int *datalength,
     while (objidlength-- > 0) {
         subid = *op++;
         if (subid < 127) {  /* off by one? */
+            if (bp >= bufEnd) {
+                snmp_set_api_error(SNMPERR_ASN_ENCODE);
+                return (NULL);
+            }
             *bp++ = subid;
         } else {
             mask = 0x7F;    /* handle subid == 0 case */
@@ -770,8 +775,16 @@ asn_build_objid(u_char * data, int *datalength,
                 /* fix a mask that got truncated above */
                 if (mask == 0x1E00000)
                     mask = 0xFE00000;
+                if (bp >= bufEnd) {
+                    snmp_set_api_error(SNMPERR_ASN_ENCODE);
+                    return (NULL);
+                }
                 *bp++ = (u_char) (((subid & mask) >> bits) | ASN_BIT8);
             }
+            if (bp >= bufEnd) {
+                snmp_set_api_error(SNMPERR_ASN_ENCODE);
+                return (NULL);
+            }
             *bp++ = (u_char) (subid & mask);
         }
     }