I managed to make snmp(1) crash, when I sent a malformed snmp packet. Specifically when I have a varbind with an oid, but no value.
I test for this case via ber_scanf_elements("{oS}", which presumably would crap out if my skip doesn't have an element. Unfortunately reality is that the be_next is skipped and we try again with the same value. This can give us extremely weird results if we scan for two consecutive elements of the same type (e.g. "ss") where the second element is non-existent. This would result in the second element having the data of the first element. Diff below fixes this. OK? martijn@ Index: ber.c =================================================================== RCS file: /cvs/src/lib/libutil/ber.c,v retrieving revision 1.11 diff -u -p -r1.11 ber.c --- ber.c 5 Aug 2019 12:38:14 -0000 1.11 +++ ber.c 13 Aug 2019 13:26:09 -0000 @@ -684,6 +684,8 @@ ber_scanf_elements(struct ber_element *b va_start(ap, fmt); while (*fmt) { + if (ber == NULL) + goto fail; switch (*fmt++) { case 'B': ptr = va_arg(ap, void **); @@ -788,8 +790,6 @@ ber_scanf_elements(struct ber_element *b goto fail; } - if (ber->be_next == NULL) - continue; ber = ber->be_next; } va_end(ap);