From 9f0bffebd070115ab47a92eadc6890a721c7b78d Mon Sep 17 00:00:00 2001 From: Michal Židek Date: Wed, 22 Jul 2015 16:35:35 +0200 Subject: sssd: incorrect checks on length values during packet decoding https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech --- src/providers/ipa/selinux_child.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'src/providers/ipa/selinux_child.c') diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index 7c5731d66..3a15e7f51 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -53,7 +53,7 @@ static errno_t unpack_buffer(uint8_t *buf, DEBUG(SSSDBG_TRACE_INTERNAL, "Empty SELinux user, will delete the mapping\n"); } else { - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len); if (ibuf->seuser == NULL) return ENOMEM; DEBUG(SSSDBG_TRACE_INTERNAL, "seuser: %s\n", ibuf->seuser); @@ -69,7 +69,7 @@ static errno_t unpack_buffer(uint8_t *buf, return EINVAL; } } else { - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len); if (ibuf->mls_range == NULL) return ENOMEM; DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range: %s\n", ibuf->mls_range); @@ -83,7 +83,7 @@ static errno_t unpack_buffer(uint8_t *buf, DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n"); return EINVAL; } else { - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ibuf->username = talloc_strndup(ibuf, (char *)(buf + p), len); if (ibuf->username == NULL) return ENOMEM; DEBUG(SSSDBG_TRACE_INTERNAL, "username: %s\n", ibuf->username); -- cgit