try out @nielsdos suggestion, delaying free object_id at the end of the call.

devnexen · devnexen · commit 215f9a9994d0 · 2024-11-30T17:06:16.000Z
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
@@ -626,6 +626,40 @@ static void php_snmp_internal(INTERNAL_FUNCTION_PARAMETERS, int st,
 }
 /* }}} */
 
+static void php_snmp_zend_string_release_from_char_pointer(char *ptr) {
+	if (ptr) {
+		zend_string *pptr = (zend_string *)(ptr - XtOffsetOf(zend_string, val));
+		if (GC_REFCOUNT(pptr)) {
+			zend_string_release(pptr);
+		}
+	}
+}
+
+static void php_free_objid_query(struct objid_query *objid_query, HashTable* oid_ht, zend_string *value_str, HashTable *value_ht, int st) {
+#define PHP_FREE_OBJID_VAL(arg)									\
+	do {											\
+			if (value_ht && !value_str) { 						\
+				php_snmp_zend_string_release_from_char_pointer(arg->value); 	\
+			}									\
+			php_snmp_zend_string_release_from_char_pointer(&arg->type);		\
+		php_snmp_zend_string_release_from_char_pointer(arg->oid);			\
+	} while (0)
+
+	if (oid_ht) {
+		uint32_t i = 0, count = zend_hash_num_elements(oid_ht);
+
+		while (i < count) {
+			snmpobjarg *arg = &objid_query->vars[i];
+			if (!arg->oid) {
+				break;
+			}
+			PHP_FREE_OBJID_VAL(arg);
+			i ++;
+		}
+	}
+	efree(objid_query->vars);
+}
+
 /* {{{ php_snmp_parse_oid
 *
 * OID parser (and type, value for SNMP_SET command)
@@ -674,15 +708,15 @@ static bool php_snmp_parse_oid(
 			return false;
 		}
 		objid_query->vars = (snmpobjarg *)safe_emalloc(sizeof(snmpobjarg), zend_hash_num_elements(oid_ht), 0);
+		memset(objid_query->vars, 0, sizeof(snmpobjarg) * zend_hash_num_elements(oid_ht));
 		objid_query->array_output = (st & SNMP_CMD_SET) == 0;
 		ZEND_HASH_FOREACH_VAL(oid_ht, tmp_oid) {
 			zend_string *tmp = zval_try_get_string(tmp_oid);
 			if (!tmp) {
-				efree(objid_query->vars);
+				php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 				return false;
 			}
 			objid_query->vars[objid_query->count].oid = ZSTR_VAL(tmp);
-			zend_string_release(tmp);
 			if (st & SNMP_CMD_SET) {
 				if (type_str) {
 					pptr = ZSTR_VAL(type_str);
@@ -706,18 +740,23 @@ static bool php_snmp_parse_oid(
 						}
 					}
 					if (idx_type < type_ht->nNumUsed) {
-						convert_to_string(tmp_type);
-						if (Z_STRLEN_P(tmp_type) != 1) {
+						zend_string *type = zval_try_get_string(tmp_type);
+						if (!type) {
+							php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
+							return false;
+						}
+						if (ZSTR_LEN(type) != 1) {
 							zend_value_error("Type must be a single character");
-							efree(objid_query->vars);
+							zend_string_release(type);
+							php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 							return false;
 						}
-						pptr = Z_STRVAL_P(tmp_type);
+						pptr = ZSTR_VAL(type);
 						objid_query->vars[objid_query->count].type = *pptr;
 						idx_type++;
 					} else {
-						php_error_docref(NULL, E_WARNING, "'%s': no type set", Z_STRVAL_P(tmp_oid));
-						efree(objid_query->vars);
+						php_error_docref(NULL, E_WARNING, "'%s': no type set", ZSTR_VAL(tmp));
+						php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 						return false;
 					}
 				}
@@ -743,12 +782,16 @@ static bool php_snmp_parse_oid(
 						}
 					}
 					if (idx_value < value_ht->nNumUsed) {
-						convert_to_string(tmp_value);
-						objid_query->vars[objid_query->count].value = Z_STRVAL_P(tmp_value);
+						zend_string *tmp = zval_try_get_string(tmp_value);
+						if (!tmp) {
+							php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
+							return false;
+						}
+						objid_query->vars[objid_query->count].value = ZSTR_VAL(tmp);
 						idx_value++;
 					} else {
-						php_error_docref(NULL, E_WARNING, "'%s': no value set", Z_STRVAL_P(tmp_oid));
-						efree(objid_query->vars);
+						php_error_docref(NULL, E_WARNING, "'%s': no value set", ZSTR_VAL(tmp));
+						php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 						return false;
 					}
 				}
@@ -761,14 +804,14 @@ static bool php_snmp_parse_oid(
 	if (st & SNMP_CMD_WALK) {
 		if (objid_query->count > 1) {
 			php_snmp_error(object, PHP_SNMP_ERRNO_OID_PARSING_ERROR, "Multi OID walks are not supported!");
-			efree(objid_query->vars);
+			php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 			return false;
 		}
 		objid_query->vars[0].name_length = MAX_NAME_LEN;
 		if (strlen(objid_query->vars[0].oid)) { /* on a walk, an empty string means top of tree - no error */
 			if (!snmp_parse_oid(objid_query->vars[0].oid, objid_query->vars[0].name, &(objid_query->vars[0].name_length))) {
 				php_snmp_error(object, PHP_SNMP_ERRNO_OID_PARSING_ERROR, "Invalid object identifier: %s", objid_query->vars[0].oid);
-				efree(objid_query->vars);
+				php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 				return false;
 			}
 		} else {
@@ -780,7 +823,7 @@ static bool php_snmp_parse_oid(
 			objid_query->vars[objid_query->offset].name_length = MAX_OID_LEN;
 			if (!snmp_parse_oid(objid_query->vars[objid_query->offset].oid, objid_query->vars[objid_query->offset].name, &(objid_query->vars[objid_query->offset].name_length))) {
 				php_snmp_error(object, PHP_SNMP_ERRNO_OID_PARSING_ERROR, "Invalid object identifier: %s", objid_query->vars[objid_query->offset].oid);
-				efree(objid_query->vars);
+				php_free_objid_query(objid_query, oid_ht, value_str, value_ht, st);
 				return false;
 			}
 		}
@@ -1257,12 +1300,12 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)
 
 	if (session_less_mode) {
 		if (!netsnmp_session_init(&session, version, a1, a2, timeout, retries)) {
-			efree(objid_query.vars);
+			php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
 			netsnmp_session_free(&session);
 			RETURN_FALSE;
 		}
 		if (version == SNMP_VERSION_3 && !netsnmp_session_set_security(session, a3, a4, a5, a6, a7, NULL, NULL)) {
-			efree(objid_query.vars);
+			php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
 			netsnmp_session_free(&session);
 			/* Warning message sent already, just bail out */
 			RETURN_FALSE;
@@ -1273,7 +1316,7 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)
 		session = snmp_object->session;
 		if (!session) {
 			zend_throw_error(NULL, "Invalid or uninitialized SNMP object");
-			efree(objid_query.vars);
+			php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
 			RETURN_THROWS();
 		}
 
@@ -1299,7 +1342,7 @@ static void php_snmp(INTERNAL_FUNCTION_PARAMETERS, int st, int version)
 
 	php_snmp_internal(INTERNAL_FUNCTION_PARAM_PASSTHRU, st, session, &objid_query);
 
-	efree(objid_query.vars);
+	php_free_objid_query(&objid_query, oid_ht, value_str, value_ht, st);
 
 	if (session_less_mode) {
 		netsnmp_session_free(&session);
diff --git a/ext/snmp/tests/gh16959.phpt b/ext/snmp/tests/gh16959.phpt
@@ -19,6 +19,22 @@ var_dump(snmpget($hostname, "", $bad_object_ids) === false);
 var_dump($bad_object_ids);
 try {
 	snmpget($hostname, "", [0 => new stdClass()]);
+} catch (Throwable $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+
+try {
+	snmp2_set($hostname, $communityWrite, $bad_object_ids, array(new stdClass()), array(null));
+} catch (Throwable $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	snmp2_set($hostname, $communityWrite, $bad_object_ids, array("toolongtype"), array(null));
+} catch (Throwable $e) {
+	echo $e->getMessage() . PHP_EOL;
+}
+try {
+	snmp2_set($hostname, $communityWrite, $bad_object_ids, array(str_repeat("onetoomuch", random_int(1, 1))), array(null));
 } catch (Throwable $e) {
 	echo $e->getMessage();
 }
@@ -35,7 +51,7 @@ array(4) {
   int(0)
 }
 
-Warning: snmpget(): Invalid object identifier: -229 in %s on line %d
+Warning: snmpget(): Invalid object identifier: -54 in %s on line %d
 bool(true)
 array(4) {
   [63]=>
@@ -48,3 +64,6 @@ array(4) {
   int(0)
 }
 Object of class stdClass could not be converted to string
+Object of class stdClass could not be converted to string
+Type must be a single character
+Type must be a single character
