Make sure that unpacking of an AgentX OID doesn't contain more than 128

elements.

OK tb@

diff --git a/lib/libagentx/ax.c b/lib/libagentx/ax.c
index 4f96322..5e1b0e0 100644 (file)
--- a/lib/libagentx/ax.c
+++ b/lib/libagentx/ax.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ax.c,v 1.8 2021/10/24 17:43:38 martijn Exp $ */
+/*     $OpenBSD: ax.c,v 1.9 2023/10/24 08:48:41 martijn Exp $ */
 /*
  * Copyright (c) 2019 Martijn van Duren <martijn@openbsd.org>
  *
@@ -1262,6 +1262,8 @@ ax_pdutooid(struct ax_pdu_header *header, struct ax_oid *oid,
        }
        buf++;
        oid->aoi_include = *buf;
+       if (oid->aoi_idlen > AX_OID_MAX_LEN)
+               goto fail;
        for (buf += 2; i < oid->aoi_idlen; i++, buf += 4)
                oid->aoi_id[i] = ax_pdutoh32(header, buf);
 

diff --git a/usr.sbin/snmpd/ax.c b/usr.sbin/snmpd/ax.c
index 63add68..418e931 100644 (file)
--- a/usr.sbin/snmpd/ax.c
+++ b/usr.sbin/snmpd/ax.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ax.c,v 1.1 2022/08/23 08:56:20 martijn Exp $ */
+/*     $OpenBSD: ax.c,v 1.2 2023/10/24 08:48:41 martijn Exp $ */
 /*
  * Copyright (c) 2019 Martijn van Duren <martijn@openbsd.org>
  *
@@ -1442,6 +1442,8 @@ ax_pdutooid(struct ax_pdu_header *header, struct ax_oid *oid,
        }
        buf++;
        oid->aoi_include = *buf;
+       if (oid->aoi_idlen > AX_OID_MAX_LEN)
+               goto fail;
        for (buf += 2; i < oid->aoi_idlen; i++, buf += 4)
                oid->aoi_id[i] = ax_pdutoh32(header, buf);