sssd: incorrect checks on length values during packet decoding

https://fedorahosted.org/sssd/ticket/1697

It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.

Reviewed-by: Petr Cech <pcech@redhat.com>

1 files changed, 3 insertions, 3 deletions

diff --git a/src/sss_client/ssh/sss_ssh_client.c b/src/sss_client/ssh/sss_ssh_client.c
index 245a02056..e5097337f 100644
--- a/src/sss_client/ssh/sss_ssh_client.c
+++ b/src/sss_client/ssh/sss_ssh_client.c
@@ -171,7 +171,7 @@ sss_ssh_get_ent(TALLOC_CTX *mem_ctx,
 
     /* parse reply */
     c = 0;
-    if (rep_len-c < 2*sizeof(uint32_t)) {
+    if (rep_len < c + 2*sizeof(uint32_t)) {
         ret = EINVAL;
         goto done;
     }
@@ -214,7 +214,7 @@ sss_ssh_get_ent(TALLOC_CTX *mem_ctx,
 
         SAFEALIGN_COPY_UINT32(&len, rep+c, &c);
 
-        if (rep_len-c < len + sizeof(uint32_t)) {
+        if (len > rep_len - c - sizeof(uint32_t)) {
             ret = EINVAL;
             goto done;
         }
@@ -237,7 +237,7 @@ sss_ssh_get_ent(TALLOC_CTX *mem_ctx,
 
         SAFEALIGN_COPY_UINT32(&len, rep+c, &c);
 
-        if (rep_len-c < len) {
+        if (len > rep_len - c) {
             ret = EINVAL;
             goto done;
         }