Fix GH-21336: undefined behavior in snmp setSecurity.

devnexen · devnexen · commit 90862fe71add · 2026-03-04T05:37:42.000Z
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
@@ -961,6 +961,10 @@ static bool netsnmp_session_set_sec_level(struct snmp_session *s, zend_string *l
 /* {{{ Set the authentication protocol in the snmpv3 session */
 static bool netsnmp_session_set_auth_protocol(struct snmp_session *s, zend_string *prot)
 {
+	if (!prot) {
+		zend_value_error("Authentication protocol can't be NULL");
+		return false;
+	}
 #ifndef DISABLE_MD5
 	if (zend_string_equals_literal_ci(prot, "MD5")) {
 		s->securityAuthProto = usmHMACMD5AuthProtocol;
@@ -1013,6 +1017,10 @@ static bool netsnmp_session_set_auth_protocol(struct snmp_session *s, zend_strin
 /* {{{ Set the security protocol in the snmpv3 session */
 static bool netsnmp_session_set_sec_protocol(struct snmp_session *s, zend_string *prot)
 {
+	if (!prot) {
+		zend_value_error("Security protocol can't be NULL");
+		return false;
+	}
 #ifndef NETSNMP_DISABLE_DES
 	if (zend_string_equals_literal_ci(prot, "DES")) {
 		s->securityPrivProto = usmDESPrivProtocol;
@@ -1051,6 +1059,12 @@ static bool netsnmp_session_set_sec_protocol(struct snmp_session *s, zend_string
 static bool netsnmp_session_gen_auth_key(struct snmp_session *s, zend_string *pass)
 {
 	int snmp_errno;
+
+	if (!pass) {
+		zend_value_error("Authentication key can't be NULL");
+		return false;
+	}
+
 	s->securityAuthKeyLen = USM_AUTH_KU_LEN;
 	if ((snmp_errno = generate_Ku(s->securityAuthProto, s->securityAuthProtoLen,
 			(uint8_t *) ZSTR_VAL(pass), ZSTR_LEN(pass),
@@ -1067,6 +1081,11 @@ static bool netsnmp_session_gen_sec_key(struct snmp_session *s, zend_string *pas
 {
 	int snmp_errno;
 
+	if (!pass) {
+		zend_value_error("Security key can't be NULL");
+		return false;
+	}
+
 	s->securityPrivKeyLen = USM_PRIV_KU_LEN;
 	if ((snmp_errno = generate_Ku(s->securityAuthProto, s->securityAuthProtoLen,
 			(uint8_t *)ZSTR_VAL(pass), ZSTR_LEN(pass),
diff --git a/ext/snmp/tests/gh21336.phpt b/ext/snmp/tests/gh21336.phpt
@@ -0,0 +1,41 @@
+--TEST--
+GH-21336 (undefined behavior in snmp - NULL pointer dereference in setSecurity)
+--EXTENSIONS--
+snmp
+--FILE--
+<?php
+$session = new SNMP(SNMP::VERSION_3, 'localhost', 'user');
+
+// auth protocol NULL
+try {
+	$session->setSecurity('authPriv');
+} catch (ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+// auth passphrase NULL
+try {
+	$session->setSecurity('authNoPriv', 'MD5');
+} catch (ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+// priv protocol NULL
+try {
+	$session->setSecurity('authPriv', 'MD5', 'test12345');
+} catch (ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+// priv passphrase NULL
+try {
+	$session->setSecurity('authPriv', 'MD5', 'test12345', 'AES');
+} catch (ValueError $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+?>
+--EXPECT--
+Authentication protocol can't be NULL
+Authentication key can't be NULL
+Security protocol can't be NULL
+Security key can't be NULL
