summaryrefslogtreecommitdiffstats
path: root/src/sss_client/ssh
diff options
context:
space:
mode:
authorMichal Židek <mzidek@redhat.com>2015-07-22 16:35:35 +0200
committerJakub Hrozek <jhrozek@redhat.com>2015-08-31 18:34:26 +0200
commit9f0bffebd070115ab47a92eadc6890a721c7b78d (patch)
tree0cef1e564546161bd056993223e2418f140a44a3 /src/sss_client/ssh
parent11e8f3ecdddf8edd8b1bbe9f41b49ce8b709b92a (diff)
downloadsssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.gz
sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.xz
sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.zip
sssd: incorrect checks on length values during packet decoding
https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>
Diffstat (limited to 'src/sss_client/ssh')
-rw-r--r--src/sss_client/ssh/sss_ssh_client.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/sss_client/ssh/sss_ssh_client.c b/src/sss_client/ssh/sss_ssh_client.c
index 245a02056..e5097337f 100644
--- a/src/sss_client/ssh/sss_ssh_client.c
+++ b/src/sss_client/ssh/sss_ssh_client.c
@@ -171,7 +171,7 @@ sss_ssh_get_ent(TALLOC_CTX *mem_ctx,
/* parse reply */
c = 0;
- if (rep_len-c < 2*sizeof(uint32_t)) {
+ if (rep_len < c + 2*sizeof(uint32_t)) {
ret = EINVAL;
goto done;
}
@@ -214,7 +214,7 @@ sss_ssh_get_ent(TALLOC_CTX *mem_ctx,
SAFEALIGN_COPY_UINT32(&len, rep+c, &c);
- if (rep_len-c < len + sizeof(uint32_t)) {
+ if (len > rep_len - c - sizeof(uint32_t)) {
ret = EINVAL;
goto done;
}
@@ -237,7 +237,7 @@ sss_ssh_get_ent(TALLOC_CTX *mem_ctx,
SAFEALIGN_COPY_UINT32(&len, rep+c, &c);
- if (rep_len-c < len) {
+ if (len > rep_len - c) {
ret = EINVAL;
goto done;
}