Check that strings do not go beyond the end of the packet body in autofs and SSH requests.

This fixes CVE-2013-0220.

https://fedorahosted.org/sssd/ticket/1781

1 files changed, 4 insertions, 4 deletions

diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index 1f4035e64..f83c136b8 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -694,8 +694,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
     }
 
     SAFEALIGN_COPY_UINT32_CHECK(&name_len, body+c, body_len, &c);
-    if (name_len == 0) {
-        DEBUG(SSSDBG_CRIT_FAILURE, ("Zero-length name is not valid\n"));
+    if (name_len == 0 || name_len > body_len - c) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid name length\n"));
         return EINVAL;
     }
 
@@ -717,8 +717,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
 
     if (flags & 1) {
         SAFEALIGN_COPY_UINT32_CHECK(&alias_len, body+c, body_len, &c);
-        if (alias_len == 0) {
-            DEBUG(SSSDBG_CRIT_FAILURE, ("Zero-length alias is not valid\n"));
+        if (alias_len == 0 || alias_len > body_len - c) {
+            DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid alias length\n"));
             return EINVAL;
         }