Limit num_bytes for SNMP string values.

michaelrsweet · michaelrsweet · commit d7fe0f521ff3 · 2026-04-13T11:47:05.000-04:00
diff --git a/cups/snmp-private.h b/cups/snmp-private.h
@@ -1,7 +1,7 @@
 //
 // Private SNMP definitions for CUPS.
 //
-// Copyright © 2020-2024 by OpenPrinting.
+// Copyright © 2020-2026 by OpenPrinting.
 // Copyright © 2007-2014 by Apple Inc.
 // Copyright © 2006-2007 by Easy Software Products, all rights reserved.
 //
@@ -55,9 +55,9 @@ typedef enum cups_asn1_e cups_asn1_t;	// ASN1 request/object types
 
 typedef struct cups_snmp_string_s	// String value
 {
-  unsigned char	bytes[CUPS_SNMP_MAX_STRING];
-					// Bytes in string
   unsigned	num_bytes;		// Number of bytes
+  unsigned char	bytes[CUPS_SNMP_MAX_STRING + 1];
+					// Bytes in string
 } cups_snmp_string_t;
 
 union cups_snmp_value_u			// Object value
diff --git a/cups/snmp.c b/cups/snmp.c
@@ -1,7 +1,7 @@
 /*
  * SNMP functions for CUPS.
  *
- * Copyright © 2020-2024 by OpenPrinting.
+ * Copyright © 2020-2026 by OpenPrinting.
  * Copyright © 2007-2019 by Apple Inc.
  * Copyright © 2006-2007 by Easy Software Products, all rights reserved.
  *
@@ -1014,10 +1014,14 @@ asn1_decode_snmp(unsigned char *buffer,	/* I - Buffer */
 	        case CUPS_ASN1_OCTET_STRING :
 	        case CUPS_ASN1_BIT_STRING :
 	        case CUPS_ASN1_HEX_STRING :
-		    packet->object_value.string.num_bytes = length;
 		    asn1_get_string(&bufptr, bufend, length,
 		                    (char *)packet->object_value.string.bytes,
 				    sizeof(packet->object_value.string.bytes));
+
+                    if (length >= sizeof(packet->object_value.string.bytes))
+		      packet->object_value.string.num_bytes = sizeof(packet->object_value.string.bytes) - 1;
+                    else
+		      packet->object_value.string.num_bytes = length;
 	            break;
 
 	        case CUPS_ASN1_OID :
