diff options
| author | Martijn van Duren <martijn@cvs.openbsd.org> | 2022-12-20 20:06:48 +0000 |
|---|---|---|
| committer | Martijn van Duren <martijn@cvs.openbsd.org> | 2022-12-20 20:06:48 +0000 |
| commit | 0e195717ff07f6eb93eb01970d63a4bfda78a95f (patch) | |
| tree | 8d9a588cc766226dbd1a2a92d666ea8286ee4fa0 /usr.sbin | |
| parent | 9e89070c560bb9c3e78234412138259392f24e83 (diff) | |
Apply proper bounds checking to non-repeaters and max-repetitions.
OK sthen@, kn@
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/snmpd/snmpe.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/usr.sbin/snmpd/snmpe.c b/usr.sbin/snmpd/snmpe.c index e0467b08e1f..add7acf3c4b 100644 --- a/usr.sbin/snmpd/snmpe.c +++ b/usr.sbin/snmpd/snmpe.c @@ -1,4 +1,4 @@ -/* $OpenBSD: snmpe.c,v 1.86 2022/12/20 19:53:33 martijn Exp $ */ +/* $OpenBSD: snmpe.c,v 1.87 2022/12/20 20:06:47 martijn Exp $ */ /* * Copyright (c) 2007, 2008, 2012 Reyk Floeter <reyk@openbsd.org> @@ -445,10 +445,18 @@ badversion: goto fail; } - for (a = msg->sm_varbind; a != NULL; a = a->be_next) { + for (len = 0, a = msg->sm_varbind; a != NULL; a = a->be_next, len++) { if (ober_scanf_elements(a, "{oS$}", NULL) == -1) goto parsefail; } + /* + * error-status == non-repeaters + * error-index == max-repetitions + */ + if (msg->sm_pdutype == SNMP_C_GETBULKREQ && + (errval < 0 || errval > (long long)len || + erridx < 1 || erridx > UINT16_MAX)) + goto parsefail; msg->sm_request = req; msg->sm_error = errval; |