diff options
| author | Michal Židek <mzidek@redhat.com> | 2015-07-22 16:35:35 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-08-31 18:34:26 +0200 |
| commit | 9f0bffebd070115ab47a92eadc6890a721c7b78d (patch) | |
| tree | 0cef1e564546161bd056993223e2418f140a44a3 /src/providers/ad | |
| parent | 11e8f3ecdddf8edd8b1bbe9f41b49ce8b709b92a (diff) | |
| download | sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.gz sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.xz sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.zip | |
sssd: incorrect checks on length values during packet decoding
https://fedorahosted.org/sssd/ticket/1697
It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.
Reviewed-by: Petr Cech <pcech@redhat.com>
Diffstat (limited to 'src/providers/ad')
| -rw-r--r-- | src/providers/ad/ad_gpo_child.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c index 03951af04..6547f9c05 100644 --- a/src/providers/ad/ad_gpo_child.c +++ b/src/providers/ad/ad_gpo_child.c @@ -69,7 +69,7 @@ unpack_buffer(uint8_t *buf, if (len == 0) { return EINVAL; } else { - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ibuf->smb_server = talloc_strndup(ibuf, (char *)(buf + p), len); if (ibuf->smb_server == NULL) return ENOMEM; DEBUG(SSSDBG_TRACE_ALL, "smb_server: %s\n", ibuf->smb_server); @@ -82,7 +82,7 @@ unpack_buffer(uint8_t *buf, if (len == 0) { return EINVAL; } else { - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ibuf->smb_share = talloc_strndup(ibuf, (char *)(buf + p), len); if (ibuf->smb_share == NULL) return ENOMEM; DEBUG(SSSDBG_TRACE_ALL, "smb_share: %s\n", ibuf->smb_share); @@ -95,7 +95,7 @@ unpack_buffer(uint8_t *buf, if (len == 0) { return EINVAL; } else { - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ibuf->smb_path = talloc_strndup(ibuf, (char *)(buf + p), len); if (ibuf->smb_path == NULL) return ENOMEM; DEBUG(SSSDBG_TRACE_ALL, "smb_path: %s\n", ibuf->smb_path); @@ -108,7 +108,7 @@ unpack_buffer(uint8_t *buf, if (len == 0) { return EINVAL; } else { - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ibuf->smb_cse_suffix = talloc_strndup(ibuf, (char *)(buf + p), len); if (ibuf->smb_cse_suffix == NULL) return ENOMEM; DEBUG(SSSDBG_TRACE_ALL, "smb_cse_suffix: %s\n", ibuf->smb_cse_suffix); |