Limit num_bytes for SNMP string values.

Author: michaelrsweet

cups/snmp-private.h

@@ -1,7 +1,7 @@
 /*
  * Private SNMP definitions for CUPS.
  *
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
  * Copyright © 2007-2014 by Apple Inc.
  * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
  *
@@ -58,9 +58,9 @@ typedef enum cups_asn1_e cups_asn1_t;	/**** ASN1 request/object types ****/
 
 typedef struct cups_snmp_string_s	/**** String value ****/
 {
-  unsigned char	bytes[CUPS_SNMP_MAX_STRING];
-					/* Bytes in string */
   unsigned	num_bytes;		/* Number of bytes */
+  unsigned char	bytes[CUPS_SNMP_MAX_STRING + 1];
+					/* Bytes in string */
 } cups_snmp_string_t;
 
 union cups_snmp_value_u			/**** Object value ****/

cups/snmp.c

@@ -1,7 +1,7 @@
 /*
  * SNMP functions for CUPS.
  *
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
  * Copyright © 2007-2019 by Apple Inc.
  * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
  *
@@ -1042,10 +1042,14 @@ asn1_decode_snmp(unsigned char *buffer,	/* I - Buffer */
 	        case CUPS_ASN1_OCTET_STRING :
 	        case CUPS_ASN1_BIT_STRING :
 	        case CUPS_ASN1_HEX_STRING :
-		    packet->object_value.string.num_bytes = length;
 		    asn1_get_string(&bufptr, bufend, length,
 		                    (char *)packet->object_value.string.bytes,
 				    sizeof(packet->object_value.string.bytes));
+
+                    if (length >= sizeof(packet->object_value.string.bytes))
+		      packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
+                    else
+		      packet->object_value.string.num_bytes = length;
 	            break;
 
 	        case CUPS_ASN1_OID :