diff options
author | Michal Židek <mzidek@redhat.com> | 2015-07-22 16:35:35 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-08-31 18:34:26 +0200 |
commit | 9f0bffebd070115ab47a92eadc6890a721c7b78d (patch) | |
tree | 0cef1e564546161bd056993223e2418f140a44a3 /src/providers/ldap/sdap_child_helpers.c | |
parent | 11e8f3ecdddf8edd8b1bbe9f41b49ce8b709b92a (diff) | |
download | sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.gz sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.xz sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.zip |
sssd: incorrect checks on length values during packet decoding
https://fedorahosted.org/sssd/ticket/1697
It is safer to isolate the checked (unknown/untrusted)
value on the left hand side in the conditions
to avoid overflows/underflows.
Reviewed-by: Petr Cech <pcech@redhat.com>
Diffstat (limited to 'src/providers/ldap/sdap_child_helpers.c')
-rw-r--r-- | src/providers/ldap/sdap_child_helpers.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c index afe6351e9..90330f13f 100644 --- a/src/providers/ldap/sdap_child_helpers.c +++ b/src/providers/ldap/sdap_child_helpers.c @@ -222,7 +222,7 @@ static int parse_child_response(TALLOC_CTX *mem_ctx, /* ccache name size */ SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); - if ((p + len ) > size) return EINVAL; + if (len > size - p) return EINVAL; ccn = talloc_size(mem_ctx, sizeof(char) * (len + 1)); if (ccn == NULL) { |