I managed to make snmp(1) crash, when I sent a malformed snmp packet.
Specifically when I have a varbind with an oid, but no value.
I test for this case via ber_scanf_elements("{oS}", which presumably
would crap out if my skip doesn't have an element. Unfortunately reality
is that the be_next is skipped and we try again with the same value.
This can give us extremely weird results if we scan for two consecutive
elements of the same type (e.g. "ss") where the second element is
non-existent. This would result in the second element having the data
of the first element.
Diff below fixes this.
OK?
martijn@
Index: ber.c
===================================================================
RCS file: /cvs/src/lib/libutil/ber.c,v
retrieving revision 1.11
diff -u -p -r1.11 ber.c
--- ber.c 5 Aug 2019 12:38:14 -0000 1.11
+++ ber.c 13 Aug 2019 13:26:09 -0000
@@ -684,6 +684,8 @@ ber_scanf_elements(struct ber_element *b
va_start(ap, fmt);
while (*fmt) {
+ if (ber == NULL)
+ goto fail;
switch (*fmt++) {
case 'B':
ptr = va_arg(ap, void **);
@@ -788,8 +790,6 @@ ber_scanf_elements(struct ber_element *b
goto fail;
}
- if (ber->be_next == NULL)
- continue;
ber = ber->be_next;
}
va_end(ap);
