From 3223205c56f9b85b483db31ac98590a3f64e40ca Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Thu, 28 May 2009 20:03:37 -0400 Subject: Fix potential integer oveflow If mem_num is big enough then ptmem can be big enough that dlen - ptmem actually gives back a postive integer. Also tidy up the termination condition at the end of the buffer so that it is less confusing. --- sss_client/group.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/sss_client/group.c b/sss_client/group.c index 4ba11e30a..61b1e487b 100644 --- a/sss_client/group.c +++ b/sss_client/group.c @@ -80,7 +80,6 @@ static int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr, ssize_t dlen; char *sbuf; uint32_t mem_num; - int err; if (*len < 11) { /* not enough space for data, bad packet */ return EBADMSG; @@ -129,10 +128,10 @@ static int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr, /* now members */ pr->result->gr_mem = (char **)&(pr->buffer[i]); ptmem = sizeof(char *) * (mem_num + 1); - dlen -= ptmem; - if (0 > dlen) { /* not enough mem in buffer */ + if (ptmem > dlen) { return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */ } + dlen -= ptmem; ptmem += i; pr->result->gr_mem[mem_num] = NULL; /* terminate array */ @@ -140,19 +139,19 @@ static int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr, pr->result->gr_mem[l] = &(pr->buffer[ptmem]); while ((slen > i) && (dlen > 0)) { pr->buffer[ptmem] = sbuf[i]; + if (pr->buffer[ptmem] == '\0') break; i++; dlen--; - if (pr->buffer[ptmem] == '\0') break; ptmem++; } - if (pr->buffer[ptmem] != '\0') { - if (slen <= i) { /* premature end of buf */ - return EBADMSG; - } - if (dlen <= 0) { /* not enough memory */ - return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */ - } + if (slen <= i) { /* premature end of buf */ + return EBADMSG; } + if (dlen <= 0) { /* not enough memory */ + return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */ + } + i++; + dlen--; ptmem++; } -- cgit