SNMP has a restricted BER encoding especially all encodings use the

definite-length from. So bail out with an error if this is not the case.
OK cloder@, reyk@
cvs: ----------------------------------------------------------------------

1 files changed, 7 insertions, 5 deletions

diff --git a/usr.sbin/snmpd/ber.c b/usr.sbin/snmpd/ber.c
index 0b96000f936..5610154024d 100644
--- a/usr.sbin/snmpd/ber.c
+++ b/usr.sbin/snmpd/ber.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ber.c,v 1.7 2008/03/12 13:06:09 claudio Exp $ */
+/*	$OpenBSD: ber.c,v 1.8 2008/03/12 13:09:12 claudio Exp $ */
 
 /*
  * Copyright (c) 2007 Reyk Floeter <reyk@vantronix.net>
@@ -940,8 +940,7 @@ get_id(struct ber *b, unsigned long *tag, int *class, int *cstruct)
 }
 
 /*
- * extract length of a ber object -- if length is unknown a length of -1 is
- * returned.
+ * extract length of a ber object -- if length is unknown an error is returned.
  */
 static ssize_t
 get_len(struct ber *b, ssize_t *len)
@@ -976,8 +975,11 @@ get_len(struct ber *b, ssize_t *len)
 		return -1;
 	}
 
-	if (s == 0)
-		s = -1;
+	if (s == 0) {
+		/* invalid encoding */
+		errno = EINVAL;
+		return -1;
+	}
 
 	*len = s;
 	return r;