Check that strings do not go beyond the end of the packet body in autofs and SSH requests.

This fixes CVE-2013-0220.

https://fedorahosted.org/sssd/ticket/1781

1 files changed, 3 insertions, 3 deletions

diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
index 7443ebbfa..e1f3aeda6 100644
--- a/src/responder/autofs/autofssrv_cmd.c
+++ b/src/responder/autofs/autofssrv_cmd.c
@@ -940,7 +940,7 @@ sss_autofs_cmd_getautomntent(struct cli_ctx *client)
 
     SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
 
-    if (namelen == 0) {
+    if (namelen == 0 || namelen > blen - c) {
         ret = EINVAL;
         goto done;
     }
@@ -1215,7 +1215,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
     /* FIXME - split out a function to get string from <len><str>\0 */
     SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
 
-    if (namelen == 0) {
+    if (namelen == 0 || namelen > blen - c) {
         ret = EINVAL;
         goto done;
     }
@@ -1239,7 +1239,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
     /* FIXME - split out a function to get string from <len><str>\0 */
     SAFEALIGN_COPY_UINT32_CHECK(&keylen, body+c, blen, &c);
 
-    if (keylen == 0) {
+    if (keylen == 0 || keylen > blen - c) {
         ret = EINVAL;
         goto done;
     }