sssd: incorrect checks on length values during packet decoding

https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>
author: Michal Židek <mzidek@redhat.com> 2015-07-22 16:35:35 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2015-08-31 18:34:26 +0200
commit: 9f0bffebd070115ab47a92eadc6890a721c7b78d (patch)
tree: 0cef1e564546161bd056993223e2418f140a44a3 /src/providers/ldap/sdap_child_helpers.c
parent: 11e8f3ecdddf8edd8b1bbe9f41b49ce8b709b92a (diff)
download: sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.gz
sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.xz
sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/providers/ldap/sdap_child_helpers.c b/src/providers/ldap/sdap_child_helpers.c
index afe6351e9..90330f13f 100644
--- a/src/providers/ldap/sdap_child_helpers.c
+++ b/src/providers/ldap/sdap_child_helpers.c
@@ -222,7 +222,7 @@ static int parse_child_response(TALLOC_CTX *mem_ctx,
     /* ccache name size */
     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
 
-    if ((p + len ) > size) return EINVAL;
+    if (len > size - p) return EINVAL;
 
     ccn = talloc_size(mem_ctx, sizeof(char) * (len + 1));
     if (ccn == NULL) {
author	Michal Židek <mzidek@redhat.com>	2015-07-22 16:35:35 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2015-08-31 18:34:26 +0200
commit	9f0bffebd070115ab47a92eadc6890a721c7b78d (patch)
tree	0cef1e564546161bd056993223e2418f140a44a3 /src/providers/ldap/sdap_child_helpers.c
parent	11e8f3ecdddf8edd8b1bbe9f41b49ce8b709b92a (diff)
download	sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.gz sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.tar.xz sssd-9f0bffebd070115ab47a92eadc6890a721c7b78d.zip