From 3699ef323c63bbd308ecc033b4e6361571357c06 Mon Sep 17 00:00:00 2001
From: martijn <martijn@openbsd.org>
Date: Thu, 7 May 2026 14:51:20 +0000
Subject: [PATCH] Include the padding length when testing the remaining bytes
 in an octet string, to prevent a size_t underflow on a malformed packet and
 make us run into infinity.

Same diff as for snmpd
---
 lib/libagentx/ax.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/libagentx/ax.c b/lib/libagentx/ax.c
index f4d6eb7e977..39ec63ac5c9 100644
--- a/lib/libagentx/ax.c
+++ b/lib/libagentx/ax.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ax.c,v 1.11 2025/09/08 08:43:39 jsg Exp $ */
+/*	$OpenBSD: ax.c,v 1.12 2026/05/07 14:51:20 martijn Exp $ */
 /*
  * Copyright (c) 2019 Martijn van Duren <martijn@openbsd.org>
  *
@@ -1286,7 +1286,7 @@ ax_pdutoostring(struct ax_pdu_header *header,
 	ostring->aos_slen = ax_pdutoh32(header, buf);
 	rawlen -= 4;
 	buf += 4;
-	if (ostring->aos_slen > rawlen)
+	if (((ostring->aos_slen + 3) & ~3U) > rawlen)
 		goto fail;
 	if ((ostring->aos_string = malloc(ostring->aos_slen + 1)) == NULL)
 		return -1;