summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2013-01-23 12:26:17 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-01-23 15:24:35 +0100
commita3d236b1c93b0294fabf1fb6e4824d7383536e73 (patch)
tree1674acf55054ab1746f0987105bd8175923c2e09
parente54cde6e089080e919bf990ba1fee885b227000c (diff)
downloadsssd-a3d236b1c93b0294fabf1fb6e4824d7383536e73.tar.gz
sssd-a3d236b1c93b0294fabf1fb6e4824d7383536e73.tar.xz
sssd-a3d236b1c93b0294fabf1fb6e4824d7383536e73.zip
Check that strings do not go beyond the end of the packet body in autofs and SSH requests.
This fixes CVE-2013-0220. https://fedorahosted.org/sssd/ticket/1781
-rw-r--r--src/responder/autofs/autofssrv_cmd.c6
-rw-r--r--src/responder/ssh/sshsrv_cmd.c8
2 files changed, 7 insertions, 7 deletions
diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
index b85079d0d..8a79cecf3 100644
--- a/src/responder/autofs/autofssrv_cmd.c
+++ b/src/responder/autofs/autofssrv_cmd.c
@@ -940,7 +940,7 @@ sss_autofs_cmd_getautomntent(struct cli_ctx *client)
SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
- if (namelen == 0) {
+ if (namelen == 0 || namelen > blen - c) {
ret = EINVAL;
goto done;
}
@@ -1215,7 +1215,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
/* FIXME - split out a function to get string from <len><str>\0 */
SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
- if (namelen == 0) {
+ if (namelen == 0 || namelen > blen - c) {
ret = EINVAL;
goto done;
}
@@ -1239,7 +1239,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
/* FIXME - split out a function to get string from <len><str>\0 */
SAFEALIGN_COPY_UINT32_CHECK(&keylen, body+c, blen, &c);
- if (keylen == 0) {
+ if (keylen == 0 || keylen > blen - c) {
ret = EINVAL;
goto done;
}
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index 687e8887e..aea9719d6 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -693,8 +693,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
}
SAFEALIGN_COPY_UINT32_CHECK(&name_len, body+c, body_len, &c);
- if (name_len == 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("Zero-length name is not valid\n"));
+ if (name_len == 0 || name_len > body_len - c) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid name length\n"));
return EINVAL;
}
@@ -716,8 +716,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
if (flags & 1) {
SAFEALIGN_COPY_UINT32_CHECK(&alias_len, body+c, body_len, &c);
- if (alias_len == 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, ("Zero-length alias is not valid\n"));
+ if (alias_len == 0 || alias_len > body_len - c) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid alias length\n"));
return EINVAL;
}