From 9f0bffebd070115ab47a92eadc6890a721c7b78d Mon Sep 17 00:00:00 2001
From: Michal Židek <mzidek@redhat.com>
Date: Wed, 22 Jul 2015 16:35:35 +0200
Subject: sssd: incorrect checks on length values during packet decoding

https://fedorahosted.org/sssd/ticket/1697

It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.

Reviewed-by: Petr Cech <pcech@redhat.com>
---
 src/providers/ldap/ldap_child.c         | 6 +++---
 src/providers/ldap/sdap_child_helpers.c | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'src/providers/ldap')

diff --git a/src/providers/ldap/ldap_child.c b/src/providers/ldap/ldap_child.c
index 191d5bc65..7ce8d4e6c 100644
--- a/src/providers/ldap/ldap_child.c
+++ b/src/providers/ldap/ldap_child.c
@@ -66,7 +66,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
 
     DEBUG(SSSDBG_TRACE_LIBS, "realm_str size: %d\n", len);
     if (len) {
-        if ((p + len ) > size) return EINVAL;
+        if (len > size - p) return EINVAL;
         ibuf->realm_str = talloc_strndup(ibuf, (char *)(buf + p), len);
         DEBUG(SSSDBG_TRACE_LIBS, "got realm_str: %s\n", ibuf->realm_str);
         if (ibuf->realm_str == NULL) return ENOMEM;
@@ -78,7 +78,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
 
     DEBUG(SSSDBG_TRACE_LIBS, "princ_str size: %d\n", len);
     if (len) {
-        if ((p + len ) > size) return EINVAL;
+        if (len > size - p) return EINVAL;
         ibuf->princ_str = talloc_strndup(ibuf, (char *)(buf + p), len);
         DEBUG(SSSDBG_TRACE_LIBS, "got princ_str: %s\n", ibuf->princ_str);
         if (ibuf->princ_str == NULL) return ENOMEM;
@@ -90,7 +90,7 @@ static errno_t unpack_buffer(uint8_t *buf, size_t size,
 
     DEBUG(SSSDBG_TRACE_LIBS, "keytab_name size: %d\n", len);
     if (len) {
-        if ((p + len ) > size) return EINVAL;
+        if (len > size - p) return EINVAL;
         ibuf->keytab_name = talloc_strndup(ibuf, (char *)(buf + p), len);
         DEBUG(SSSDBG_TRACE_LIBS, "got keytab_name: %s\n", ibuf->keytab_name);
         if (ibuf->keytab_name == NULL) return ENOMEM;
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index afe6351e9..90330f13f 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -222,7 +222,7 @@ static int parse_child_response(TALLOC_CTX *mem_ctx,
     /* ccache name size */
     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
 
-    if ((p + len ) > size) return EINVAL;
+    if (len > size - p) return EINVAL;
 
     ccn = talloc_size(mem_ctx, sizeof(char) * (len + 1));
     if (ccn == NULL) {
-- 
cgit