From 740bfe1a5bf519de8e13bdce5c4143b0f24d7433 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Thu, 7 Jul 2016 12:48:42 +0300
Subject: Fix packet size calculation in sss_packet_new
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use division instead of modulo while rounding the created packet size up
to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes
potentially packet buffer overflows with certain body sizes.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/responder/common/responder_packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
index 1a201c15c..4f5e11083 100644
--- a/src/responder/common/responder_packet.c
+++ b/src/responder/common/responder_packet.c
@@ -75,7 +75,7 @@ int sss_packet_new(TALLOC_CTX *mem_ctx, size_t size,
     if (!packet) return ENOMEM;
 
     if (size) {
-        int n = (size + SSS_NSS_HEADER_SIZE) % SSSSRV_PACKET_MEM_SIZE;
+        int n = (size + SSS_NSS_HEADER_SIZE) / SSSSRV_PACKET_MEM_SIZE;
         packet->memsize = (n + 1) * SSSSRV_PACKET_MEM_SIZE;
     } else {
         packet->memsize = SSSSRV_PACKET_MEM_SIZE;
-- 
cgit