diff options
| author | Michal Zidek <mzidek@redhat.com> | 2013-09-04 16:17:57 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-12-03 14:47:59 +0100 |
| commit | b7f47840ab580833d3747881e1d0348fd154e8f0 (patch) | |
| tree | 80c2b901fa6bc6feb35c361afd3748e3e7b477ea /src/responder | |
| parent | a171d77f40aa92e240e91aa4bafe5a392a98b5a2 (diff) | |
| download | sssd-b7f47840ab580833d3747881e1d0348fd154e8f0.tar.gz sssd-b7f47840ab580833d3747881e1d0348fd154e8f0.tar.xz sssd-b7f47840ab580833d3747881e1d0348fd154e8f0.zip | |
responder: Use SAFEALIGN macro when checking pam data validity.
resolves:
https://fedorahosted.org/sssd/ticket/1359
Diffstat (limited to 'src/responder')
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 34 |
1 files changed, 23 insertions, 11 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 94c72cf35..2bceb8985 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -144,12 +144,20 @@ static int pam_parse_in_data_v2(struct sss_domain_info *domains, uint32_t size; char *pam_user; int ret; - uint32_t terminator = SSS_END_OF_PAM_REQUEST; + uint32_t start; + uint32_t terminator; - if (blen < 4*sizeof(uint32_t)+2 || - ((uint32_t *)body)[0] != SSS_START_OF_PAM_REQUEST || - memcmp(&body[blen - sizeof(uint32_t)], &terminator, sizeof(uint32_t)) != 0) { - DEBUG(1, ("Received data is invalid.\n")); + if (blen < 4*sizeof(uint32_t)+2) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Received data is invalid.\n")); + return EINVAL; + } + + SAFEALIGN_COPY_UINT32(&start, body, NULL); + SAFEALIGN_COPY_UINT32(&terminator, body + blen - sizeof(uint32_t), NULL); + + if (start != SSS_START_OF_PAM_REQUEST + || terminator != SSS_END_OF_PAM_REQUEST) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Received data is invalid.\n")); return EINVAL; } @@ -709,14 +717,18 @@ errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *pd) uint8_t *body; size_t blen; errno_t ret; - uint32_t terminator = SSS_END_OF_PAM_REQUEST; + uint32_t terminator; sss_packet_get_body(cctx->creq->in, &body, &blen); - if (blen >= sizeof(uint32_t) && - memcmp(&body[blen - sizeof(uint32_t)], &terminator, sizeof(uint32_t)) != 0) { - DEBUG(1, ("Received data not terminated.\n")); - ret = EINVAL; - goto done; + if (blen >= sizeof(uint32_t)) { + SAFEALIGN_COPY_UINT32(&terminator, + body + blen - sizeof(uint32_t), + NULL); + if (terminator != SSS_END_OF_PAM_REQUEST) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Received data not terminated.\n")); + ret = EINVAL; + goto done; + } } switch (cctx->cli_protocol_version->version) { |