From a3d236b1c93b0294fabf1fb6e4824d7383536e73 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 23 Jan 2013 12:26:17 +0100
Subject: Check that strings do not go beyond the end of the packet body in
 autofs and SSH requests.

This fixes CVE-2013-0220.

https://fedorahosted.org/sssd/ticket/1781
---
 src/responder/autofs/autofssrv_cmd.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/responder/autofs')

diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
index b85079d0d..8a79cecf3 100644
--- a/src/responder/autofs/autofssrv_cmd.c
+++ b/src/responder/autofs/autofssrv_cmd.c
@@ -940,7 +940,7 @@ sss_autofs_cmd_getautomntent(struct cli_ctx *client)
 
     SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
 
-    if (namelen == 0) {
+    if (namelen == 0 || namelen > blen - c) {
         ret = EINVAL;
         goto done;
     }
@@ -1215,7 +1215,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
     /* FIXME - split out a function to get string from <len><str>\0 */
     SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
 
-    if (namelen == 0) {
+    if (namelen == 0 || namelen > blen - c) {
         ret = EINVAL;
         goto done;
     }
@@ -1239,7 +1239,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
     /* FIXME - split out a function to get string from <len><str>\0 */
     SAFEALIGN_COPY_UINT32_CHECK(&keylen, body+c, blen, &c);
 
-    if (keylen == 0) {
+    if (keylen == 0 || keylen > blen - c) {
         ret = EINVAL;
         goto done;
     }
-- 
cgit