ping
On Sun, 2021-09-26 at 10:22 +0200, Martijn van Duren wrote:
> ober_get_nstring writes a pointer to buf and does not overwrite the
> content of buf itself. So pushing an array in there will result in it
> only writing the pointer address to the array, which is not exactly what
> we want to show.
>
> I choose to go for sizeof, instead of using the define to be a little
> more on the safe side, but I didn't change SNMPD_MAXCONTEXNAMELEN to
> keep the diff small.
>
> OK?
>
> martijn@
>
> Index: snmpe.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
> retrieving revision 1.76
> diff -u -p -r1.76 snmpe.c
> --- snmpe.c 6 Sep 2021 13:32:18 -0000 1.76
> +++ snmpe.c 26 Sep 2021 08:19:59 -0000
> @@ -237,7 +237,7 @@ snmpe_parse(struct snmp_message *msg)
> long long errval, erridx;
> u_int class;
> char *comn;
> - char *flagstr, *ctxname;
> + char *flagstr, *ctxname, *engineid;
> size_t len;
> struct sockaddr_storage *ss = &msg->sm_ss;
> struct ber_element *root = msg->sm_req;
> @@ -300,9 +300,12 @@ snmpe_parse(struct snmp_message *msg)
> }
>
> if (ober_scanf_elements(a, "{xxeS$}$",
> - &msg->sm_ctxengineid, &msg->sm_ctxengineid_len,
> - &ctxname, &len, &msg->sm_pdu) != 0)
> + &engineid, &msg->sm_ctxengineid_len, &ctxname, &len,
> + &msg->sm_pdu) != 0)
> goto parsefail;
> + if (msg->sm_ctxengineid_len > sizeof(msg->sm_ctxengineid))
> + goto parsefail;
> + memcpy(msg->sm_ctxengineid, engineid, msg->sm_ctxengineid_len);
> if (len > SNMPD_MAXCONTEXNAMELEN)
> goto parsefail;
> memcpy(msg->sm_ctxname, ctxname, len);
>
