snmpd: do not touch uninitialized memory
Alexander Sabourenkov
ber_get_string does no effort to zero-terminate its result.
Index: snmpe.c
===================================================================
RCS file: /cvs/src/usr.sbin/snmpd/snmpe.c,v
retrieving revision 1.25
diff -u snmpe.c
--- snmpe.c 16 Dec 2009 22:17:53 -0000 1.25
+++ snmpe.c 18 Dec 2009 12:15:24 -0000
@@ -433,9 +433,11 @@
root->be_type == SNMP_T_IPADDR) {
fprintf(stderr, "addr %s\n",
inet_ntoa(*(struct in_addr *)buf));
- } else
- fprintf(stderr, "string \"%s\"\n",
- root->be_len ? buf : "");
+ } else {
+ fwrite("string \"", 8, 1, stderr);
+ fwrite(buf, root->be_len, 1, stderr);
+ fwrite("\"\n", 2, 1, stderr);
+ }
break;
case BER_TYPE_NULL: /* no payload */
case BER_TYPE_EOC:
--
./lxnt
Jacek Masiulaniec
> Dumping string-type data would spew contents of uninitialized memory
> because ber_get_string does no effort to zero-terminate its result.
Please submit diffs that apply to -current.
I admit ignorance of SNMP internals but by inspecting the code I
am not convinced this is the right fix. Before working around
missing NUL terminator it must become clear why is it missing in
the first place.
Look at buf_read_element. The BER_TYPE_OCTETSTRING is always
NUL-terminated. Why is the terminator missing few lines later?
Then look at mps_setstr. It strdups BER_TYPE_OCTETSTRING. If NUL
was always missing, then use of strdup would be incorrect. Is it?
Jacek