Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Jan 2025 20:30:19 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 283909] bsnmpget/walk: coredump when SNMPPASSWD is empty
Message-ID:  <bug-283909-227-k0m3jUtFz5@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-283909-227@https.bugs.freebsd.org/bugzilla/>
References:  <bug-283909-227@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D283909

Mark Johnston <markj@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |markj@FreeBSD.org

--- Comment #4 from Mark Johnston <markj@FreeBSD.org> ---
(In reply to Gleb Smirnoff from comment #3)
Looks reasonable to me.  The code which allocates the buffer also looks wro=
ng:

 174         if ((str =3D getenv("SNMPPASSWD")) !=3D NULL) {=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
 175                 if ((slen =3D strlen(str)) > MAXSTR)=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
 176                         slen =3D MAXSTR - 1;=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
 177                 if ((snmptoolctx->passwd =3D malloc(slen + 1)) =3D=3D =
NULL) {=20=20=20=20
 178                         warn("malloc() failed");=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
 179                         return (-1);=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20
 180                 }=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20
 181                 if (slen > 0)=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=
=20=20=20=20=20=20=20=20
 182                         strlcpy(snmptoolctx->passwd, str, slen + 1);=
=20=20=20=20=20=20=20
 183         }=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20

Aren't we leaving passwd[0] uninitialized if slen =3D=3D 0?

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-283909-227-k0m3jUtFz5>