summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2009-05-28 20:03:37 -0400
committerSimo Sorce <ssorce@redhat.com>2009-05-28 20:03:37 -0400
commit3223205c56f9b85b483db31ac98590a3f64e40ca (patch)
tree052fcc45629fd7126c1844a0ec89349b8782778a
parentd21ea70d9bd18e24026c5e6388866ff0af313b37 (diff)
downloadsssd-3223205c56f9b85b483db31ac98590a3f64e40ca.tar.gz
sssd-3223205c56f9b85b483db31ac98590a3f64e40ca.tar.bz2
sssd-3223205c56f9b85b483db31ac98590a3f64e40ca.zip
Fix potential integer oveflow
If mem_num is big enough then ptmem can be big enough that dlen - ptmem actually gives back a postive integer. Also tidy up the termination condition at the end of the buffer so that it is less confusing.
-rw-r--r--sss_client/group.c21
1 files changed, 10 insertions, 11 deletions
diff --git a/sss_client/group.c b/sss_client/group.c
index 4ba11e30..61b1e487 100644
--- a/sss_client/group.c
+++ b/sss_client/group.c
@@ -80,7 +80,6 @@ static int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr,
ssize_t dlen;
char *sbuf;
uint32_t mem_num;
- int err;
if (*len < 11) { /* not enough space for data, bad packet */
return EBADMSG;
@@ -129,10 +128,10 @@ static int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr,
/* now members */
pr->result->gr_mem = (char **)&(pr->buffer[i]);
ptmem = sizeof(char *) * (mem_num + 1);
- dlen -= ptmem;
- if (0 > dlen) { /* not enough mem in buffer */
+ if (ptmem > dlen) {
return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
}
+ dlen -= ptmem;
ptmem += i;
pr->result->gr_mem[mem_num] = NULL; /* terminate array */
@@ -140,19 +139,19 @@ static int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr,
pr->result->gr_mem[l] = &(pr->buffer[ptmem]);
while ((slen > i) && (dlen > 0)) {
pr->buffer[ptmem] = sbuf[i];
+ if (pr->buffer[ptmem] == '\0') break;
i++;
dlen--;
- if (pr->buffer[ptmem] == '\0') break;
ptmem++;
}
- if (pr->buffer[ptmem] != '\0') {
- if (slen <= i) { /* premature end of buf */
- return EBADMSG;
- }
- if (dlen <= 0) { /* not enough memory */
- return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
- }
+ if (slen <= i) { /* premature end of buf */
+ return EBADMSG;
}
+ if (dlen <= 0) { /* not enough memory */
+ return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */
+ }
+ i++;
+ dlen--;
ptmem++;
}