From 8e9f72bae93387ae969f20153d2f96acd7a8e3f2 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 23 Jan 2013 12:26:17 +0100
Subject: Check that strings do not go beyond the end of the packet body in
 autofs and SSH requests.

This fixes CVE-2013-0220.

https://fedorahosted.org/sssd/ticket/1781
---
 src/responder/autofs/autofssrv_cmd.c | 6 +++---
 src/responder/ssh/sshsrv_cmd.c       | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
index 8123db2a4..9abb0ca19 100644
--- a/src/responder/autofs/autofssrv_cmd.c
+++ b/src/responder/autofs/autofssrv_cmd.c
@@ -853,7 +853,7 @@ sss_autofs_cmd_getautomntent(struct cli_ctx *client)
 
     SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
 
-    if (namelen == 0) {
+    if (namelen == 0 || namelen > blen - c) {
         ret = EINVAL;
         goto done;
     }
@@ -1128,7 +1128,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
     /* FIXME - split out a function to get string from <len><str>\0 */
     SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
 
-    if (namelen == 0) {
+    if (namelen == 0 || namelen > blen - c) {
         ret = EINVAL;
         goto done;
     }
@@ -1152,7 +1152,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
     /* FIXME - split out a function to get string from <len><str>\0 */
     SAFEALIGN_COPY_UINT32_CHECK(&keylen, body+c, blen, &c);
 
-    if (keylen == 0) {
+    if (keylen == 0 || keylen > blen - c) {
         ret = EINVAL;
         goto done;
     }
diff --git a/src/responder/ssh/sshsrv_cmd.c b/src/responder/ssh/sshsrv_cmd.c
index cae0b87c0..7ef63465c 100644
--- a/src/responder/ssh/sshsrv_cmd.c
+++ b/src/responder/ssh/sshsrv_cmd.c
@@ -574,8 +574,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
     }
 
     SAFEALIGN_COPY_UINT32_CHECK(&name_len, body+c, body_len, &c);
-    if (name_len == 0) {
-        DEBUG(SSSDBG_CRIT_FAILURE, ("Zero-length name is not valid\n"));
+    if (name_len == 0 || name_len > body_len - c) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid name length\n"));
         return EINVAL;
     }
 
@@ -596,8 +596,8 @@ ssh_cmd_parse_request(struct ssh_cmd_ctx *cmd_ctx)
 
     if (flags & 1) {
         SAFEALIGN_COPY_UINT32_CHECK(&alias_len, body+c, body_len, &c);
-        if (alias_len == 0) {
-            DEBUG(SSSDBG_CRIT_FAILURE, ("Zero-length alias is not valid\n"));
+        if (alias_len == 0 || alias_len > body_len - c) {
+            DEBUG(SSSDBG_CRIT_FAILURE, ("Invalid alias length\n"));
             return EINVAL;
         }
 
-- 
cgit