diff options
author | Simo Sorce <idra@samba.org> | 2009-01-07 09:30:00 -0500 |
---|---|---|
committer | Simo Sorce <idra@samba.org> | 2009-01-07 09:30:00 -0500 |
commit | be49b5ec22ddd845d78eca7e7c2176c9d4c0aae3 (patch) | |
tree | 3dc7c2f0a714738f3a31e6b0c646b357e5e36e72 /server/nss/nsssrv_packet.c | |
parent | 054321c995958ecc7f8e5a92f8d35c6a6bd6e809 (diff) | |
download | sssd-be49b5ec22ddd845d78eca7e7c2176c9d4c0aae3.tar.gz sssd-be49b5ec22ddd845d78eca7e7c2176c9d4c0aae3.tar.xz sssd-be49b5ec22ddd845d78eca7e7c2176c9d4c0aae3.zip |
Check size of incoming packets.
This should fix a buffer overflow waiting to be exploited :/
Diffstat (limited to 'server/nss/nsssrv_packet.c')
-rw-r--r-- | server/nss/nsssrv_packet.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/server/nss/nsssrv_packet.c b/server/nss/nsssrv_packet.c index c15f5c764..07cc2ff8a 100644 --- a/server/nss/nsssrv_packet.c +++ b/server/nss/nsssrv_packet.c @@ -50,9 +50,6 @@ struct nss_packet { * * - if size is defined use it otherwise the default packet will be * NSSSRV_PACKET_MEM_SIZE bytes. - * - if buf is provided also give back the pointer to the base of - * the buffer (the header), so that a packet can be written into - * firecgtly from the wire */ int nss_packet_new(TALLOC_CTX *mem_ctx, size_t size, enum sss_nss_command cmd, @@ -142,8 +139,13 @@ int nss_packet_recv(struct nss_packet *packet, int fd) void *buf; buf = packet->buffer + packet->iop; - if (packet->iop > 4) len = *packet->len; - else len = packet->memsize; + if (packet->iop > 4) len = *packet->len - packet->iop; + else len = packet->memsize - packet->iop; + + /* check for wrapping */ + if (len > packet->memsize) { + return EINVAL; + } errno = 0; rb = recv(fd, buf, len, 0); @@ -156,6 +158,10 @@ int nss_packet_recv(struct nss_packet *packet, int fd) return EIO; } + if (packet->len > packet->memsize) { + return EINVAL; + } + packet->iop += rb; if (packet->iop < 4) { return EAGAIN; |