From b7f47840ab580833d3747881e1d0348fd154e8f0 Mon Sep 17 00:00:00 2001
From: Michal Zidek <mzidek@redhat.com>
Date: Wed, 4 Sep 2013 16:17:57 +0200
Subject: responder: Use SAFEALIGN macro when checking pam data validity.

resolves:
https://fedorahosted.org/sssd/ticket/1359
---
 src/responder/pam/pamsrv_cmd.c | 34 +++++++++++++++++++++++-----------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 94c72cf35..2bceb8985 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -144,12 +144,20 @@ static int pam_parse_in_data_v2(struct sss_domain_info *domains,
     uint32_t size;
     char *pam_user;
     int ret;
-    uint32_t terminator = SSS_END_OF_PAM_REQUEST;
+    uint32_t start;
+    uint32_t terminator;
 
-    if (blen < 4*sizeof(uint32_t)+2 ||
-        ((uint32_t *)body)[0] != SSS_START_OF_PAM_REQUEST ||
-        memcmp(&body[blen - sizeof(uint32_t)], &terminator, sizeof(uint32_t)) != 0) {
-        DEBUG(1, ("Received data is invalid.\n"));
+    if (blen < 4*sizeof(uint32_t)+2) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("Received data is invalid.\n"));
+        return EINVAL;
+    }
+
+    SAFEALIGN_COPY_UINT32(&start, body, NULL);
+    SAFEALIGN_COPY_UINT32(&terminator, body + blen - sizeof(uint32_t), NULL);
+
+    if (start != SSS_START_OF_PAM_REQUEST
+        || terminator != SSS_END_OF_PAM_REQUEST) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("Received data is invalid.\n"));
         return EINVAL;
     }
 
@@ -709,14 +717,18 @@ errno_t pam_forwarder_parse_data(struct cli_ctx *cctx, struct pam_data *pd)
     uint8_t *body;
     size_t blen;
     errno_t ret;
-    uint32_t terminator = SSS_END_OF_PAM_REQUEST;
+    uint32_t terminator;
 
     sss_packet_get_body(cctx->creq->in, &body, &blen);
-    if (blen >= sizeof(uint32_t) &&
-        memcmp(&body[blen - sizeof(uint32_t)], &terminator, sizeof(uint32_t)) != 0) {
-        DEBUG(1, ("Received data not terminated.\n"));
-        ret = EINVAL;
-        goto done;
+    if (blen >= sizeof(uint32_t)) {
+        SAFEALIGN_COPY_UINT32(&terminator,
+                              body + blen - sizeof(uint32_t),
+                              NULL);
+        if (terminator != SSS_END_OF_PAM_REQUEST) {
+            DEBUG(SSSDBG_CRIT_FAILURE, ("Received data not terminated.\n"));
+            ret = EINVAL;
+            goto done;
+        }
     }
 
     switch (cctx->cli_protocol_version->version) {
-- 
cgit