From c04cdb57386cd77ace2b26932c9d7b90c7450239 Mon Sep 17 00:00:00 2001
From: Luiz Otavio O Souza <loos@FreeBSD.org>
Date: Fri, 27 Jun 2014 18:40:14 +0000
Subject: [PATCH] Correct the buffer length check to avoid overflows.

Found with:	Coverity Scan
CID:		1222502, 1222503
---
 usr.sbin/bsnmpd/modules/snmp_lm75/snmp_lm75.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/usr.sbin/bsnmpd/modules/snmp_lm75/snmp_lm75.c b/usr.sbin/bsnmpd/modules/snmp_lm75/snmp_lm75.c
index 386dc5f885e1..7935d9711f43 100644
--- a/usr.sbin/bsnmpd/modules/snmp_lm75/snmp_lm75.c
+++ b/usr.sbin/bsnmpd/modules/snmp_lm75/snmp_lm75.c
@@ -140,7 +140,7 @@ sysctlname(int *oid, int nlen, char *name, size_t len)
 {
 	int mib[12];
 
-	if (nlen > (int)sizeof(mib) + 2)
+	if (nlen > (int)(sizeof(mib) / sizeof(int) - 2))
 		return (-1);
 
 	mib[0] = 0;
@@ -158,7 +158,7 @@ sysctlgetnext(int *oid, int nlen, int *next, size_t *nextlen)
 {
 	int mib[12];
 
-	if (nlen  > (int)sizeof(mib) + 2)
+	if (nlen > (int)(sizeof(mib) / sizeof(int) - 2))
 		return (-1);
 
 	mib[0] = 0;
@@ -180,10 +180,13 @@ update_sensor_sysctl(char *obuf, size_t *obuflen, int idx, const char *name)
 
 	/* Fill out the mib information. */
 	snprintf(buf, sizeof(buf) - 1, "dev.lm75.%d.%s", idx, name);
-	len = 4;
+	len = sizeof(mib) / sizeof(int);
 	if (sysctlnametomib(buf, mib, &len) == -1)
 		return (-1);
 
+	if (len != 4)
+		return (-1);
+
 	/* Read the sysctl data. */
 	if (sysctl(mib, len, obuf, obuflen, NULL, 0) == -1)
 		return (-1);