Skip to content

Commit f674d3d

Browse files
ext/snmp: fix infinite loop in snprint_value retry when val_len is zero
When an SNMP variable has val_len == 0 (valid for empty strings), the snprint_value retry loop doubles val_len on each iteration (val_len *= 2). Since 0 * 2 == 0, val_len never grows, the allocated buffer stays at 1 byte, and the 512k break condition is never reached. Fix by clamping val_len to at least sizeof(sbuf) before the loop, ensuring the doubling produces meaningful growth past the initial stack buffer size. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
1 parent 11a9574 commit f674d3d

File tree

1 file changed

+9
-0
lines changed

1 file changed

+9
-0
lines changed

ext/snmp/snmp.c

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -243,6 +243,15 @@ static void php_snmp_getvalue(struct variable_list *vars, zval *snmpval, int val
243243

244244
/* use emalloc() for large values, use static array otherwise */
245245

246+
/* Ensure val_len is at least sizeof(sbuf) so doubling will grow beyond
247+
* the initial stack buffer. Without this, a zero val_len would cause
248+
* val_len *= 2 to remain zero indefinitely, never reaching the 512k
249+
* break condition.
250+
*/
251+
if (val_len < (int)sizeof(sbuf)) {
252+
val_len = sizeof(sbuf);
253+
}
254+
246255
/* There is no way to know the size of buffer snprint_value() needs in order to print a value there.
247256
* So we are forced to probe it
248257
*/

0 commit comments

Comments
 (0)