From 4c5633f1603e4bd03ed05c37d782ec8911759c47 Mon Sep 17 00:00:00 2001 From: Robert Story Date: Mon, 14 May 2012 11:40:06 -0400 Subject: [PATCH] NEWS: snmp: BUG: 3526549: CVE-2012-2141 Array index error leading to crash --- agent/mibgroup/agent/extend.c | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/agent/mibgroup/agent/extend.c b/agent/mibgroup/agent/extend.c index d00475f..1f8586a 100644 --- a/agent/mibgroup/agent/extend.c +++ b/agent/mibgroup/agent/extend.c @@ -1126,7 +1126,7 @@ _extend_find_entry( netsnmp_request_info *request, * ...and check the line requested is valid */ line_idx = *table_info->indexes->next_variable->val.integer; - if (eptr->numlines < line_idx) + if (line_idx < 1 || line_idx > eptr->numlines) return NULL; } return eptr; @@ -1299,6 +1299,10 @@ handle_nsExtendOutput2Table(netsnmp_mib_handler *handler, * Determine which line we've been asked for.... */ line_idx = *table_info->indexes->next_variable->val.integer; + if (line_idx < 1 || line_idx > extension->numlines) { + netsnmp_set_request_error(reqinfo, request, SNMP_NOSUCHINSTANCE); + continue; + } cp = extension->lines[line_idx-1]; /* -- 1.7.4.1