We can accept OID string as input in few cases (mainly via side channel) and if the crafted OID string is sent, internal function asn1_size_oid() can end up with stack buffer overflow.
The issue happens when one OID node is too large, or OID is invalid (no dots or ending with dots) - we can fix it in _cupsSNMPStringToOID() by checking for a dot or if the last source character is a dot (invalid OID), and by limiting integer for OID node to 0xffff.
We can accept OID string as input in few cases (mainly via side channel) and if the crafted OID string is sent, internal function
asn1_size_oid()can end up with stack buffer overflow.The issue happens when one OID node is too large, or OID is invalid (no dots or ending with dots) - we can fix it in
_cupsSNMPStringToOID()by checking for a dot or if the last source character is a dot (invalid OID), and by limiting integer for OID node to 0xffff.Fixes #905