diff options
author | Jan Cholasta <jcholast@redhat.com> | 2013-01-23 12:26:17 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-01-23 15:24:35 +0100 |
commit | a3d236b1c93b0294fabf1fb6e4824d7383536e73 (patch) | |
tree | 1674acf55054ab1746f0987105bd8175923c2e09 /src/responder/autofs | |
parent | e54cde6e089080e919bf990ba1fee885b227000c (diff) | |
download | sssd-a3d236b1c93b0294fabf1fb6e4824d7383536e73.tar.gz sssd-a3d236b1c93b0294fabf1fb6e4824d7383536e73.tar.xz sssd-a3d236b1c93b0294fabf1fb6e4824d7383536e73.zip |
Check that strings do not go beyond the end of the packet body in autofs and SSH requests.
This fixes CVE-2013-0220.
https://fedorahosted.org/sssd/ticket/1781
Diffstat (limited to 'src/responder/autofs')
-rw-r--r-- | src/responder/autofs/autofssrv_cmd.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c index b85079d0d..8a79cecf3 100644 --- a/src/responder/autofs/autofssrv_cmd.c +++ b/src/responder/autofs/autofssrv_cmd.c @@ -940,7 +940,7 @@ sss_autofs_cmd_getautomntent(struct cli_ctx *client) SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c); - if (namelen == 0) { + if (namelen == 0 || namelen > blen - c) { ret = EINVAL; goto done; } @@ -1215,7 +1215,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client) /* FIXME - split out a function to get string from <len><str>\0 */ SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c); - if (namelen == 0) { + if (namelen == 0 || namelen > blen - c) { ret = EINVAL; goto done; } @@ -1239,7 +1239,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client) /* FIXME - split out a function to get string from <len><str>\0 */ SAFEALIGN_COPY_UINT32_CHECK(&keylen, body+c, blen, &c); - if (keylen == 0) { + if (keylen == 0 || keylen > blen - c) { ret = EINVAL; goto done; } |