diff options
author | Alexander Bokovoy <ab@samba.org> | 2013-12-24 13:01:46 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-01-09 16:54:41 +0100 |
commit | 103f7efda7b84e7c791af2ebc2255e61e826fd75 (patch) | |
tree | 0a7d56e984d81a09f953a3c4795d8ac5484ab9f6 /src/providers | |
parent | 91ab35daf713e146dfae53a67f6b86b424c897d5 (diff) | |
download | sssd-103f7efda7b84e7c791af2ebc2255e61e826fd75.tar.gz sssd-103f7efda7b84e7c791af2ebc2255e61e826fd75.tar.xz sssd-103f7efda7b84e7c791af2ebc2255e61e826fd75.zip |
FAST: when parsing krb5_child response, make sure to not miss OTP message if it was last onesssd-1.11.2-24.el7
The last message in the stream might be with empty payload which means we get
only message type and message length (0) returned, i.e. 8 bytes left remaining
in the stream after processing preceding message. This makes our calculation at
the end of a message processing loop incorrect -- p+2*sizeof(int32_t) can be
equal to len, after all.
Fixes FAST processing for FreeIPA native OTP case:
https://fedorahosted.org/sssd/ticket/2186
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/krb5/krb5_child_handler.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c index 92dec0d2a..d6c1dc1f9 100644 --- a/src/providers/krb5/krb5_child_handler.c +++ b/src/providers/krb5/krb5_child_handler.c @@ -548,8 +548,9 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, * CCACHE_ENV_NAME"=". pref_len also counts the trailing '=' because * sizeof() counts the trailing '\0' of a string. */ pref_len = sizeof(CCACHE_ENV_NAME); - if (msg_len > pref_len && - strncmp((const char *) &buf[p], CCACHE_ENV_NAME"=", pref_len) == 0) { + if ((msg_type == SSS_PAM_ENV_ITEM) && + (msg_len > pref_len) && + (strncmp((const char *) &buf[p], CCACHE_ENV_NAME"=", pref_len) == 0)) { ccname = (char *) &buf[p+pref_len]; ccname_len = msg_len-pref_len; } @@ -600,7 +601,7 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len, p += msg_len; - if ((p < len) && (p + 2*sizeof(int32_t) >= len)) { + if ((p < len) && (p + 2*sizeof(int32_t) > len)) { DEBUG(SSSDBG_CRIT_FAILURE, ("The remainder of the message is too short.\n")); return EINVAL; |