Skip to content

ext/snmp: fix infinite loop in snprint_value retry when val_len is zero#21342

Closed
thomasvincent wants to merge 1 commit intophp:masterfrom
thomasvincent:fix/snmp-snprint-value-infinite-loop
Closed

ext/snmp: fix infinite loop in snprint_value retry when val_len is zero#21342
thomasvincent wants to merge 1 commit intophp:masterfrom
thomasvincent:fix/snmp-snprint-value-infinite-loop

Conversation

@thomasvincent
Copy link

@thomasvincent thomasvincent commented Mar 4, 2026

When an SNMP variable has val_len == 0 (valid for empty octet strings),
the snprint_value retry loop doubles val_len on each iteration
(val_len *= 2). Since 0 * 2 == 0, val_len never grows, the
allocated buffer stays at 1 byte, and the 512k break condition is
never reached. This causes an infinite loop consuming CPU.

Fix by clamping val_len to at least sizeof(sbuf) before the loop,
ensuring the doubling produces meaningful growth past the initial stack
buffer size.

@thomasvincent
ext/snmp: fix infinite loop in snprint_value retry when val_len is zero
f674d3d 
When an SNMP variable has val_len == 0 (valid for empty strings),
the snprint_value retry loop doubles val_len on each iteration
(val_len *= 2). Since 0 * 2 == 0, val_len never grows, the
allocated buffer stays at 1 byte, and the 512k break condition is
never reached.

Fix by clamping val_len to at least sizeof(sbuf) before the loop,
ensuring the doubling produces meaningful growth past the initial
stack buffer size.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@thomasvincent
Copy link
Author

thomasvincent commented Mar 4, 2026

Closing to re-evaluate the appropriate disclosure channel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Extension: snmp

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thomasvincent