diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2013-01-23 12:26:17 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-01-23 13:36:32 +0100 |
| commit | 2bd514cfde1938b1e245af11c9b548d58d49b325 (patch) | |
| tree | a332e7542d06f19f40c7e268372d17e78321fc76 /src | |
| parent | 5ff1c3c5a12930692cb6284d14f7fda3a974af8e (diff) | |
| download | sssd-2bd514cfde1938b1e245af11c9b548d58d49b325.tar.gz sssd-2bd514cfde1938b1e245af11c9b548d58d49b325.tar.xz sssd-2bd514cfde1938b1e245af11c9b548d58d49b325.zip | |
Check that strings do not go beyond the end of the packet body in autofs and SSH requests.
This fixes CVE-2013-0220.
https://fedorahosted.org/sssd/ticket/1781
Diffstat (limited to 'src')
| -rw-r--r-- | src/responder/autofs/autofssrv_cmd.c | 6 | ||||
| -rw-r--r-- | src/responder/ssh/sshsrv_cmd.c | 8 |
2 files changed, 7 insertions, 7 deletions
diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c index 7443ebbfa..e1f3aeda6 100644 --- a/src/responder/autofs/autofssrv_cmd.c +++ b/src/responder/autofs/autofssrv_cmd.c @@ -940,7 +940,7 @@ sss_autofs_cmd_getautomntent(struct cli_ctx *client) SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c); - if (namelen == 0) { + if (namelen == 0 || namelen > blen - c) { ret = EINVAL; goto done; } @@ -1215,7 +1215,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client) /* FIXME - split out a function to get string from <len><str>\0 */ SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c); - if (namelen == 0) { + if (namelen == 0 || namelen > blen - c) { ret = EINVAL; goto done; } @@ -1239,7 +1239,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client) /* FIXME - split out a function to get string from <len><str>\0 */ SAFEALIGN_COPY_UINT32_CHECK(&keylen, body+c, blen, &c); - if (keylen == 0) { + if (keylen == 0 || keylen > blen - c) { ret = EINVAL; goto done; } diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c index 1f4035e64..f83c136b8 100644 --- a/src/responder/ssh/sshsrv_cmd.c +++ b/src/responder/ssh/sshsrv_cmd.c @@ -694,8 +694,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx) } SAFEALIGN_COPY_UINT32_CHECK(&name_len, body+c, body_len, &c); - if (name_len == 0) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Zero-length name is not valid\n")); + if (name_len == 0 || name_len > body_len - c) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid name length\n")); return EINVAL; } @@ -717,8 +717,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx) if (flags & 1) { SAFEALIGN_COPY_UINT32_CHECK(&alias_len, body+c, body_len, &c); - if (alias_len == 0) { - DEBUG(SSSDBG_CRIT_FAILURE, ("Zero-length alias is not valid\n")); + if (alias_len == 0 || alias_len > body_len - c) { + DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid alias length\n")); return EINVAL; } |