ober_get_nstring writes a pointer to buf and does not overwrite the
content of buf itself. So pushing an array in there will result in it
only writing the pointer address to the array, which is not exactly what
we want to show.
I choose to go for sizeof, instead of using the define to be a little
more on the safe side, but I didn't change SNMPD_MAXCONTEXNAMELEN to
keep the diff small.
OK?
martijn@
Index: snmpe.c
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
retrieving revision 1.76
diff -u -p -r1.76 snmpe.c
--- snmpe.c 6 Sep 2021 13:32:18 -0000 1.76
+++ snmpe.c 26 Sep 2021 08:19:59 -0000
@@ -237,7 +237,7 @@ snmpe_parse(struct snmp_message *msg)
long long errval, erridx;
u_int class;
char *comn;
- char *flagstr, *ctxname;
+ char *flagstr, *ctxname, *engineid;
size_t len;
struct sockaddr_storage *ss = &msg->sm_ss;
struct ber_element *root = msg->sm_req;
@@ -300,9 +300,12 @@ snmpe_parse(struct snmp_message *msg)
}
if (ober_scanf_elements(a, "{xxeS$}$",
- &msg->sm_ctxengineid, &msg->sm_ctxengineid_len,
- &ctxname, &len, &msg->sm_pdu) != 0)
+ &engineid, &msg->sm_ctxengineid_len, &ctxname, &len,
+ &msg->sm_pdu) != 0)
goto parsefail;
+ if (msg->sm_ctxengineid_len > sizeof(msg->sm_ctxengineid))
+ goto parsefail;
+ memcpy(msg->sm_ctxengineid, engineid, msg->sm_ctxengineid_len);
if (len > SNMPD_MAXCONTEXNAMELEN)
goto parsefail;
memcpy(msg->sm_ctxname, ctxname, len);
