From aa0601a66d7c8be077b857c01a2b63b1faf5d4fa Mon Sep 17 00:00:00 2001 From: goldsimon Date: Thu, 30 Mar 2017 21:31:44 +0200 Subject: [PATCH] snmp_asn1_dec_tlv: explicitly check 'length_bytes > pbuf_stream->length' (for clarity, even if it would fail in pbuf_stream later) --- src/apps/snmp/snmp_asn1.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/apps/snmp/snmp_asn1.c b/src/apps/snmp/snmp_asn1.c index f35b7604..71aad9ce 100644 --- a/src/apps/snmp/snmp_asn1.c +++ b/src/apps/snmp/snmp_asn1.c @@ -442,6 +442,9 @@ snmp_asn1_dec_tlv(struct snmp_pbuf_stream* pbuf_stream, struct snmp_asn1_tlv* tl tlv->value_len = data; } else if (data > 0x80) { /* long form */ u8_t length_bytes = data - 0x80; + if (length_bytes > pbuf_stream->length) { + return ERR_VAL; + } tlv->length_len = length_bytes + 1; /* this byte + defined number of length bytes following */ tlv->value_len = 0;