Panic on unwrapping of None value

[daniellockyer]

Found using cargo-fuzz.

It seems v[2].content on line 170 of snmp.rs is Boolean(true) which cannot be turned into a slice and fails.

extern crate snmp_parser;

fn main() {
    let data : &[u8] = b"01\x02\x02~\xfd\x04(TTY00\x02\x02\xfe\xfd\xfd(ET\xab\xab\xab\x02\x02\x020\x02XXX\xff\xff\xff\xff\xff\xffXX\xff\xff\xff\xff\xff\x01\x00\x00\x01\x00\x00\x00\x00\xfdTN\xab\xab\xab\xab\xab\xc6\xc6\xab";
    let _ = snmp_parser::parse_snmp_v1(data);
}

thread '<unnamed>' panicked at 'called `Option::unwrap()` on a `None` value', /checkout/src/libcore/option.rs:329
stack backtrace:
   0:     0x55820356ae13 - std::sys::imp::backtrace::tracing::imp::unwind_backtrace::hf9ed9ccfd9f14c2b
                               at /checkout/src/libstd/sys/unix/backtrace/tracing/gcc_s.rs:49
   1:     0x558203567764 - std::sys_common::backtrace::_print::hd8a1b72dcf3955ef
                               at /checkout/src/libstd/sys_common/backtrace.rs:71
   2:     0x55820356bde7 - std::panicking::default_hook::{{closure}}::h5ff605bba7612658
                               at /checkout/src/libstd/sys_common/backtrace.rs:60
                               at /checkout/src/libstd/panicking.rs:355
   3:     0x55820356b96b - std::panicking::default_hook::h9bc4f6dfee57d6bd
                               at /checkout/src/libstd/panicking.rs:371
   4:     0x55820356c24b - std::panicking::rust_panic_with_hook::hdc01585dc2bf7122
                               at /checkout/src/libstd/panicking.rs:549
   5:     0x55820356c124 - std::panicking::begin_panic::hf84f4975d9f9b642
                               at /checkout/src/libstd/panicking.rs:511
   6:     0x55820356c059 - std::panicking::begin_panic_fmt::hcc3f360b2ba80419
                               at /checkout/src/libstd/panicking.rs:495
   7:     0x55820356bfe7 - rust_begin_unwind
                               at /checkout/src/libstd/panicking.rs:471
   8:     0x55820365e6fd - core::panicking::panic_fmt::h795d9a9608ddc2bb
                               at /checkout/src/libcore/panicking.rs:69
   9:     0x55820365e634 - core::panicking::panic::hcab3e0dfa81beee9
                               at /checkout/src/libcore/panicking.rs:49
  10:     0x5582034d53dd - <core::option::Option<T>>::unwrap::h28fe5b54c4f71513
                               at /checkout/src/libcore/macros.rs:21
  11:     0x5582034eee66 - snmp_parser::snmp::parse_snmp_v1_content::h07bca7b767d79d8a
                               at /home/neo/dev/work/snmp-parser/src/snmp.rs:170
  12:     0x5582034f53a7 - snmp_parser::snmp::parse_snmp_v1::h2b8998bc1a0b0691
                               at /home/neo/dev/work/snmp-parser/src/snmp.rs:199
  13:     0x558203494545 - rust_fuzzer_test_input
                               at /home/neo/dev/work/snmp-parser/fuzz/fuzzers/fuzzer_script_1.rs:7
  14:     0x55820349817a - libfuzzer_sys::test_input_wrap::{{closure}}::h01afe675cf6a0c88
                               at /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/src/lib.rs:13
  15:     0x55820349623f - std::panicking::try::do_call::hfeac5113da58e53b
                               at /checkout/src/libstd/panicking.rs:454
  16:     0x558203571f3b - <unknown>
                               at /checkout/src/libpanic_abort/lib.rs:40
==3194== ERROR: libFuzzer: deadly signal
    #0 0x55820363d999 in __sanitizer_print_stack_trace /checkout/src/compiler-rt/lib/asan/asan_stack.cc:38
    #1 0x5582034a9571 in fuzzer::Fuzzer::CrashCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:280
    #2 0x5582034a94bb in fuzzer::Fuzzer::StaticCrashSignalCallback() /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerLoop.cpp:264
    #3 0x5582034c6cad in fuzzer::CrashHandler(int, siginfo_t*, void*) /home/neo/.cargo/git/checkouts/libfuzzer-sys-e07fde05820d7bc6/36a3928/llvm/lib/Fuzzer/FuzzerUtilPosix.cpp:37
    #4 0x7fe01ae0cfdf  (/usr/lib/libpthread.so.0+0x11fdf)
    #5 0x7fe01a86ea0f in __GI_raise (/usr/lib/libc.so.6+0x33a0f)
    #6 0x7fe01a870139 in __GI_abort (/usr/lib/libc.so.6+0x35139)
    #7 0x558203571f48 in panic_abort::__rust_start_panic::abort /checkout/src/libpanic_abort/lib.rs:61
    #8 0x558203571f48 in __rust_start_panic /checkout/src/libpanic_abort/lib.rs:56

NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 4 ChangeBit-ChangeByte-ChangeByte-ChangeBinInt-; base unit: 4dab96f98875306d2eced8e7667193b55f41cfed
0x30,0x31,0x2,0x2,0x7e,0xfd,0x4,0x28,0x54,0x54,0x59,0x30,0x30,0x2,0x2,0xfe,0xfd,0xfd,0x28,0x45,0x54,0xab,0xab,0xab,0x2,0x2,0x2,0x30,0x2,0x58,0x58,0x58,0xff,0xff,0xff,0xff,0xff,0xff,0x58,0x58,0xff,0xff,0xff,0xff,0xff,0x1,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0xfd,0x54,0x4e,0xab,0xab,0xab,0xab,0xab,0xc6,0xc6,0xab,
01\x02\x02~\xfd\x04(TTY00\x02\x02\xfe\xfd\xfd(ET\xab\xab\xab\x02\x02\x020\x02XXX\xff\xff\xff\xff\xff\xffXX\xff\xff\xff\xff\xff\x01\x00\x00\x01\x00\x00\x00\x00\xfdTN\xab\xab\xab\xab\xab\xc6\xc6\xab
artifact_prefix='artifacts/'; Test unit written to artifacts/crash-4cca20a9976d4cbaec98d501d0f3c6baecde9c6d
Base64: MDECAn79BChUVFkwMAIC/v39KEVUq6urAgICMAJYWFj///////9YWP//////AQAAAQAAAAD9VE6rq6urq8bGqw==

[chifflier]

Thanks for both bugreports (der-parser and snmp-parser), this is fixed and will be released soon.