package/netsnmp/netsnmp-CVE-2012-2141.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

From 4c5633f1603e4bd03ed05c37d782ec8911759c47 Mon Sep 17 00:00:00 2001
From: Robert Story <rstory@freesnmp.com>
Date: Mon, 14 May 2012 11:40:06 -0400
Subject: [PATCH] NEWS: snmp: BUG: 3526549: CVE-2012-2141 Array index error leading to crash

---
 agent/mibgroup/agent/extend.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)

diff --git a/agent/mibgroup/agent/extend.c b/agent/mibgroup/agent/extend.c
index d00475f..1f8586a 100644
--- a/agent/mibgroup/agent/extend.c
+++ b/agent/mibgroup/agent/extend.c
@@ -1126,7 +1126,7 @@ _extend_find_entry( netsnmp_request_info       *request,
              * ...and check the line requested is valid
              */
             line_idx = *table_info->indexes->next_variable->val.integer;
-            if (eptr->numlines < line_idx)
+            if (line_idx < 1 || line_idx > eptr->numlines)
                 return NULL;
         }
         return eptr;
@@ -1299,6 +1299,10 @@ handle_nsExtendOutput2Table(netsnmp_mib_handler          *handler,
                  * Determine which line we've been asked for....
                  */
                 line_idx = *table_info->indexes->next_variable->val.integer;
+                if (line_idx < 1 || line_idx > extension->numlines) {
+                    netsnmp_set_request_error(reqinfo, request, SNMP_NOSUCHINSTANCE);
+                    continue;
+                }
                 cp  = extension->lines[line_idx-1];
 
                 /* 
-- 
1.7.4.1