marshal.go: stricter cursor bounds checking in unmarshalPayload (#384)

TimRots · web-flow · commit 03d926140868 · 2021-11-12T02:03:42.000+01:00
Stricter bounds checking for cursor in unmarshalPayload, to ensure it does not exceed or equals ``len(packet)``, preventinga panic when receiving a malformed packet. Special thanks to Amplia Security for disclosing this issue responsibly. Fixes #381 Signed-off-by: Tim Rots <tim.rots@protonmail.ch>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,6 +17,7 @@ number of octets as per ITU-T Rec. X.690 (07/2002).
 * [ENHANCEMENT] helper.go: Interpreting the value of an Opaque type as binary data if the Opaque sub-type cannot be recognized #374
 * [ENHANCEMENT] helper.go: Implemented Opaque type marshaling #374
 * [BUGFIX] marshal.go: Fixed invalid OpaqueFloat and OpaqueDouble marshaling in marshalVarbind() function #374
+* [BUGFIX] marshal.go: stricter cursor bounds checking in unmarshalPayload #384
 
 ## v1.33.0
 
diff --git a/marshal.go b/marshal.go
@@ -1034,7 +1034,7 @@ func (x *GoSNMP) unmarshalPayload(packet []byte, cursor int, response *SnmpPacke
 	if len(packet) == 0 {
 		return errors.New("cannot unmarshal nil or empty payload packet")
 	}
-	if cursor > len(packet) {
+	if cursor >= len(packet) {
 		return fmt.Errorf("cannot unmarshal payload, packet length %d cursor %d", len(packet), cursor)
 	}
 	if response == nil {

Original file line number	Diff line number	Diff line change
`@@ -1034,7 +1034,7 @@ func (x GoSNMP) unmarshalPayload(packet []byte, cursor int, response SnmpPacke`
`1034`	`1034`	`if len(packet) == 0 {`
`1035`	`1035`	`return errors.New("cannot unmarshal nil or empty payload packet")`
`1036`	`1036`	`}`
`1037`		`- if cursor > len(packet) {`
	`1037`	`+ if cursor >= len(packet) {`
`1038`	`1038`	`return fmt.Errorf("cannot unmarshal payload, packet length %d cursor %d", len(packet), cursor)`
`1039`	`1039`	`}`
`1040`	`1040`	`if response == nil {`