SNMP: Add some bounds checks

author Francois-Xavier Le Bail <[email protected]>

Fri, 7 Oct 2016 16:08:42 +0000 (18:08 +0200)

committer Francois-Xavier Le Bail <[email protected]>

Wed, 18 Jan 2017 08:16:40 +0000 (09:16 +0100)
author Francois-Xavier Le Bail <[email protected]>
Fri, 7 Oct 2016 16:08:42 +0000 (18:08 +0200)
committer Francois-Xavier Le Bail <[email protected]>
Wed, 18 Jan 2017 08:16:40 +0000 (09:16 +0100)
diff --git a/print-snmp.c b/print-snmp.c

index c97141e3099d3628a35dd0308baa3f3a519a3d80..b3ef26c0ac1ea1f3dd479f09440920db1e76ef9d 100644 (file)
--- a/print-snmp.c
+++ b/print-snmp.c
@@ -447,13 +447,18 @@ asn1_parse(netdissect_options *ndo,
                  * bit set.  XXX - this doesn't handle a value
                  * that won't fit in 32 bits.
                  */
-               for (id = 0; *p & ASN_BIT8; len--, hdr++, p++) {
+               id = 0;
+               ND_TCHECK(*p);
+               while (*p & ASN_BIT8) {
                         if (len < 1) {
                                 ND_PRINT((ndo, "[Xtagfield?]"));
                                 return -1;
                         }
-                       ND_TCHECK(*p);
                         id = (id << 7) | (*p & ~ASN_BIT8);
+                       len--;
+                       hdr++;
+                       p++;
+                       ND_TCHECK(*p);
                 }
                 if (len < 1) {
                         ND_PRINT((ndo, "[Xtagfield?]"));
author	Francois-Xavier Le Bail <[email protected]>
	Fri, 7 Oct 2016 16:08:42 +0000 (18:08 +0200)
committer	Francois-Xavier Le Bail <[email protected]>
	Wed, 18 Jan 2017 08:16:40 +0000 (09:16 +0100)