Fix GH-21336: use zend_argument_value_error in snmp setSecurity.

devnexen · devnexen · commit 293b85ed4def · 2026-03-05T13:24:22.000Z
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
@@ -1105,7 +1105,8 @@ static bool netsnmp_session_set_contextEngineID(struct snmp_session *s, zend_str
 /* {{{ Set all snmpv3-related security options */
 static ZEND_ATTRIBUTE_NONNULL_ARGS(2) bool netsnmp_session_set_security(struct snmp_session *session, zend_string *sec_level,
 	zend_string *auth_protocol, zend_string *auth_passphrase, zend_string *priv_protocol,
-	zend_string *priv_passphrase, zend_string *contextName, zend_string *contextEngineID)
+	zend_string *priv_passphrase, zend_string *contextName, zend_string *contextEngineID,
+	uint32_t auth_protocol_argnum)
 {
 
 	/* Setting the security level. */
@@ -1117,7 +1118,7 @@ static ZEND_ATTRIBUTE_NONNULL_ARGS(2) bool netsnmp_session_set_security(struct s
 	if (session->securityLevel == SNMP_SEC_LEVEL_AUTHNOPRIV || session->securityLevel == SNMP_SEC_LEVEL_AUTHPRIV) {
 
 		if (!auth_protocol) {
-			zend_value_error("Authentication protocol is required for security level \"authNoPriv\" or \"authPriv\"");
+			zend_argument_value_error(auth_protocol_argnum, "cannot be null when security level is \"authNoPriv\" or \"authPriv\"");
 			return false;
 		}
 
@@ -1128,7 +1129,7 @@ static ZEND_ATTRIBUTE_NONNULL_ARGS(2) bool netsnmp_session_set_security(struct s
 		}
 
 		if (!auth_passphrase) {
-			zend_value_error("Authentication passphrase is required for security level \"authNoPriv\" or \"authPriv\"");
+			zend_argument_value_error(auth_protocol_argnum + 1, "cannot be null when security level is \"authNoPriv\" or \"authPriv\"");
 			return false;
 		}
 
@@ -1141,7 +1142,7 @@ static ZEND_ATTRIBUTE_NONNULL_ARGS(2) bool netsnmp_session_set_security(struct s
 		if (session->securityLevel == SNMP_SEC_LEVEL_AUTHPRIV) {
 
 			if (!priv_protocol) {
-				zend_value_error("Privacy protocol is required for security level \"authPriv\"");
+				zend_argument_value_error(auth_protocol_argnum + 2, "cannot be null when security level is \"authPriv\"");
 				return false;
 			}
 
@@ -1152,7 +1153,7 @@ static ZEND_ATTRIBUTE_NONNULL_ARGS(2) bool netsnmp_session_set_security(struct s
 			}
 
 			if (!priv_passphrase) {
-				zend_value_error("Privacy passphrase is required for security level \"authPriv\"");
+				zend_argument_value_error(auth_protocol_argnum + 3, "cannot be null when security level is \"authPriv\"");
 				return false;
 			}
 
@@ -1316,7 +1317,7 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)
 			netsnmp_session_free(&session);
 			RETURN_FALSE;
 		}
-		if (version == SNMP_VERSION_3 && !netsnmp_session_set_security(session, a3, a4, a5, a6, a7, NULL, NULL)) {
+		if (version == SNMP_VERSION_3 && !netsnmp_session_set_security(session, a3, a4, a5, a6, a7, NULL, NULL, 4)) {
 			php_free_objid_query(&objid_query, oid_ht, value_ht, st);
 			netsnmp_session_free(&session);
 			/* Warning message sent already, just bail out */
@@ -1691,7 +1692,7 @@ PHP_METHOD(SNMP, setSecurity)
 		RETURN_THROWS();
 	}
 
-	if (!netsnmp_session_set_security(snmp_object->session, a1, a2, a3, a4, a5, a6, a7)) {
+	if (!netsnmp_session_set_security(snmp_object->session, a1, a2, a3, a4, a5, a6, a7, 2)) {
 		/* Warning message sent already, just bail out */
 		RETURN_FALSE;
 	}
diff --git a/ext/snmp/tests/gh21336.phpt b/ext/snmp/tests/gh21336.phpt
@@ -35,7 +35,7 @@ try {
 }
 ?>
 --EXPECT--
-Authentication protocol is required for security level "authNoPriv" or "authPriv"
-Authentication passphrase is required for security level "authNoPriv" or "authPriv"
-Privacy protocol is required for security level "authPriv"
-Privacy passphrase is required for security level "authPriv"
+SNMP::setSecurity(): Argument #2 ($authProtocol) cannot be null when security level is "authNoPriv" or "authPriv"
+SNMP::setSecurity(): Argument #3 ($authPassphrase) cannot be null when security level is "authNoPriv" or "authPriv"
+SNMP::setSecurity(): Argument #4 ($privacyProtocol) cannot be null when security level is "authPriv"
+SNMP::setSecurity(): Argument #5 ($privacyPassphrase) cannot be null when security level is "authPriv"

Original file line number	Diff line number	Diff line change
`@@ -1105,7 +1105,8 @@ static bool netsnmp_session_set_contextEngineID(struct snmp_session *s, zend_str`
`1105`	`1105`	`/* {{{ Set all snmpv3-related security options */`
`1106`	`1106`	`static ZEND_ATTRIBUTE_NONNULL_ARGS(2) bool netsnmp_session_set_security(struct snmp_session session, zend_string sec_level,`
`1107`	`1107`	`zend_string auth_protocol, zend_string auth_passphrase, zend_string *priv_protocol,`
`1108`		`- zend_string priv_passphrase, zend_string contextName, zend_string *contextEngineID)`
	`1108`	`+ zend_string priv_passphrase, zend_string contextName, zend_string *contextEngineID,`
	`1109`	`+ uint32_t auth_protocol_argnum)`
`1109`	`1110`	`{`
`1110`	`1111`
`1111`	`1112`	`/* Setting the security level. */`
`@@ -1117,7 +1118,7 @@ static ZEND_ATTRIBUTE_NONNULL_ARGS(2) bool netsnmp_session_set_security(struct s`
`1117`	`1118`	`if (session->securityLevel == SNMP_SEC_LEVEL_AUTHNOPRIV \|\| session->securityLevel == SNMP_SEC_LEVEL_AUTHPRIV) {`
`1118`	`1119`
`1119`	`1120`	`if (!auth_protocol) {`
`1120`		`- zend_value_error("Authentication protocol is required for security level \"authNoPriv\" or \"authPriv\"");`
	`1121`	`+ zend_argument_value_error(auth_protocol_argnum, "cannot be null when security level is \"authNoPriv\" or \"authPriv\"");`
`1121`	`1122`	`return false;`
`1122`	`1123`	`}`
`1123`	`1124`
`@@ -1128,7 +1129,7 @@ static ZEND_ATTRIBUTE_NONNULL_ARGS(2) bool netsnmp_session_set_security(struct s`
`1128`	`1129`	`}`
`1129`	`1130`
`1130`	`1131`	`if (!auth_passphrase) {`
`1131`		`- zend_value_error("Authentication passphrase is required for security level \"authNoPriv\" or \"authPriv\"");`
	`1132`	`+ zend_argument_value_error(auth_protocol_argnum + 1, "cannot be null when security level is \"authNoPriv\" or \"authPriv\"");`
`1132`	`1133`	`return false;`
`1133`	`1134`	`}`
`1134`	`1135`
`@@ -1141,7 +1142,7 @@ static ZEND_ATTRIBUTE_NONNULL_ARGS(2) bool netsnmp_session_set_security(struct s`
`1141`	`1142`	`if (session->securityLevel == SNMP_SEC_LEVEL_AUTHPRIV) {`
`1142`	`1143`
`1143`	`1144`	`if (!priv_protocol) {`
`1144`		`- zend_value_error("Privacy protocol is required for security level \"authPriv\"");`
	`1145`	`+ zend_argument_value_error(auth_protocol_argnum + 2, "cannot be null when security level is \"authPriv\"");`
`1145`	`1146`	`return false;`
`1146`	`1147`	`}`
`1147`	`1148`
`@@ -1152,7 +1153,7 @@ static ZEND_ATTRIBUTE_NONNULL_ARGS(2) bool netsnmp_session_set_security(struct s`
`1152`	`1153`	`}`
`1153`	`1154`
`1154`	`1155`	`if (!priv_passphrase) {`
`1155`		`- zend_value_error("Privacy passphrase is required for security level \"authPriv\"");`
	`1156`	`+ zend_argument_value_error(auth_protocol_argnum + 3, "cannot be null when security level is \"authPriv\"");`
`1156`	`1157`	`return false;`
`1157`	`1158`	`}`
`1158`	`1159`
`@@ -1316,7 +1317,7 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)`
`1316`	`1317`	`netsnmp_session_free(&session);`
`1317`	`1318`	`RETURN_FALSE;`
`1318`	`1319`	`}`
`1319`		`- if (version == SNMP_VERSION_3 && !netsnmp_session_set_security(session, a3, a4, a5, a6, a7, NULL, NULL)) {`
	`1320`	`+ if (version == SNMP_VERSION_3 && !netsnmp_session_set_security(session, a3, a4, a5, a6, a7, NULL, NULL, 4)) {`
`1320`	`1321`	`php_free_objid_query(&objid_query, oid_ht, value_ht, st);`
`1321`	`1322`	`netsnmp_session_free(&session);`
`1322`	`1323`	`/* Warning message sent already, just bail out */`
`@@ -1691,7 +1692,7 @@ PHP_METHOD(SNMP, setSecurity)`
`1691`	`1692`	`RETURN_THROWS();`
`1692`	`1693`	`}`
`1693`	`1694`
`1694`		`- if (!netsnmp_session_set_security(snmp_object->session, a1, a2, a3, a4, a5, a6, a7)) {`
	`1695`	`+ if (!netsnmp_session_set_security(snmp_object->session, a1, a2, a3, a4, a5, a6, a7, 2)) {`
`1695`	`1696`	`/* Warning message sent already, just bail out */`
`1696`	`1697`	`RETURN_FALSE;`
`1697`	`1698`	`}`