diff options
author | Michal Židek <mzidek@redhat.com> | 2015-07-22 16:35:35 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-08-31 18:34:26 +0200 |
commit | 9f0bffebd070115ab47a92eadc6890a721c7b78d (patch) | |
tree | 0cef1e564546161bd056993223e2418f140a44a3 /src/providers/ipa/selinux_child.c | |
parent | 11e8f3ecdddf8edd8b1bbe9f41b49ce8b709b92a (diff) | |
download | sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.gz sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.xz sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.zip |
sssd: incorrect checks on length values during packet decoding
https://fedorahosted.org/sssd/ticket/1697
It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.
Reviewed-by: Petr Cech <pcech@redhat.com>
Diffstat (limited to 'src/providers/ipa/selinux_child.c')
-rw-r--r-- | src/providers/ipa/selinux_child.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index 7c5731d66..3a15e7f51 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -53,7 +53,7 @@ static errno_t unpack_buffer(uint8_t *buf, DEBUG(SSSDBG_TRACE_INTERNAL, "Empty SELinux user, will delete the mapping\n"); } else { - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len); if (ibuf->seuser == NULL) return ENOMEM; DEBUG(SSSDBG_TRACE_INTERNAL, "seuser: %s\n", ibuf->seuser); @@ -69,7 +69,7 @@ static errno_t unpack_buffer(uint8_t *buf, return EINVAL; } } else { - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len); if (ibuf->mls_range == NULL) return ENOMEM; DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range: %s\n", ibuf->mls_range); @@ -83,7 +83,7 @@ static errno_t unpack_buffer(uint8_t *buf, DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n"); return EINVAL; } else { - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ibuf->username = talloc_strndup(ibuf, (char *)(buf + p), len); if (ibuf->username == NULL) return ENOMEM; DEBUG(SSSDBG_TRACE_INTERNAL, "username: %s\n", ibuf->username); |