FAST: when parsing krb5_child response, make sure to not miss OTP message if it was last one

The last message in the stream might be with empty payload which means we get
only message type and message length (0) returned, i.e. 8 bytes left remaining
in the stream after processing preceding message. This makes our calculation at
the end of a message processing loop incorrect -- p+2*sizeof(int32_t) can be
equal to len, after all.

Fixes FAST processing for FreeIPA native OTP case:
https://fedorahosted.org/sssd/ticket/2186

1 files changed, 4 insertions, 3 deletions

diff --git a/src/providers/krb5/krb5_child_handler.c b/src/providers/krb5/krb5_child_handler.c
index 92dec0d2a..d6c1dc1f9 100644
--- a/src/providers/krb5/krb5_child_handler.c
+++ b/src/providers/krb5/krb5_child_handler.c
@@ -548,8 +548,9 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len,
          * CCACHE_ENV_NAME"=". pref_len also counts the trailing '=' because
          * sizeof() counts the trailing '\0' of a string. */
         pref_len = sizeof(CCACHE_ENV_NAME);
-        if (msg_len > pref_len &&
-            strncmp((const char *) &buf[p], CCACHE_ENV_NAME"=", pref_len) == 0) {
+        if ((msg_type == SSS_PAM_ENV_ITEM) &&
+            (msg_len > pref_len) &&
+            (strncmp((const char *) &buf[p], CCACHE_ENV_NAME"=", pref_len) == 0)) {
             ccname = (char *) &buf[p+pref_len];
             ccname_len = msg_len-pref_len;
         }
@@ -600,7 +601,7 @@ parse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len,
 
         p += msg_len;
 
-        if ((p < len) && (p + 2*sizeof(int32_t) >= len)) {
+        if ((p < len) && (p + 2*sizeof(int32_t) > len)) {
             DEBUG(SSSDBG_CRIT_FAILURE,
                   ("The remainder of the message is too short.\n"));
             return EINVAL;