From 1174a2404f8d26ea8a7223d1ec379a8d1b5ee865 Mon Sep 17 00:00:00 2001 From: flozilla Date: Tue, 19 Feb 2019 12:41:00 +0000 Subject: [PATCH] Fix stack-based buffer-overflow when parsing SNMP messages (#319) Fortunately, this off-by-one bug seems to have no runtime effect. --- lib/snmplib/snmp_msg.c | 6 +++++- lib/snmplib/snmp_vars.c | 5 +++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/lib/snmplib/snmp_msg.c b/lib/snmplib/snmp_msg.c index 00166ab110..26f3f91088 100644 --- a/lib/snmplib/snmp_msg.c +++ b/lib/snmplib/snmp_msg.c @@ -272,12 +272,16 @@ snmp_msg_Decode(u_char * Packet, int *PacketLenP, snmplib_debug(4, "snmp_msg_Decode:Error decoding SNMP Message Header (Version)!\n"); ASN_PARSE_ERROR(NULL); } + int terminatorPos = *CommLenP - 1; bufp = asn_parse_string(bufp, PacketLenP, &type, Community, CommLenP); if (bufp == NULL) { snmplib_debug(4, "snmp_msg_Decode:Error decoding SNMP Message Header (Community)!\n"); ASN_PARSE_ERROR(NULL); } - Community[*CommLenP] = '\0'; + if (*CommLenP < terminatorPos) { + terminatorPos = *CommLenP; + } + Community[terminatorPos] = '\0'; if ((*Version != SNMP_VERSION_1) && (*Version != SNMP_VERSION_2)) { diff --git a/lib/snmplib/snmp_vars.c b/lib/snmplib/snmp_vars.c index 75fb224f6f..3c828f2976 100644 --- a/lib/snmplib/snmp_vars.c +++ b/lib/snmplib/snmp_vars.c @@ -511,9 +511,14 @@ snmp_var_DecodeVarBind(u_char * Buffer, int *BufLen, snmp_set_api_error(SNMPERR_OS_ERR); PARSE_ERROR; } + int terminatorPos = Var->val_len - 1; bufp = asn_parse_string(DataPtr, &ThisVarLen, &Var->type, Var->val.string, &Var->val_len); + if (Var->val_len < terminatorPos) { + terminatorPos = Var->val_len; + } + Var->val.string[terminatorPos] = '\0'; #if DEBUG_VARS_DECODE printf("VARS: Decoded string '%s' (length %d) (%d bytes left)\n", (Var->val.string), Var->val_len, ThisVarLen); -- 2.47.2