diff options
| author | Simo Sorce <ssorce@redhat.com> | 2009-05-28 20:03:37 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2009-05-28 20:03:37 -0400 |
| commit | 3223205c56f9b85b483db31ac98590a3f64e40ca (patch) | |
| tree | 052fcc45629fd7126c1844a0ec89349b8782778a | |
| parent | d21ea70d9bd18e24026c5e6388866ff0af313b37 (diff) | |
| download | sssd-3223205c56f9b85b483db31ac98590a3f64e40ca.tar.gz sssd-3223205c56f9b85b483db31ac98590a3f64e40ca.tar.bz2 sssd-3223205c56f9b85b483db31ac98590a3f64e40ca.zip | |
Fix potential integer oveflow
If mem_num is big enough then ptmem can be big enough that dlen - ptmem
actually gives back a postive integer.
Also tidy up the termination condition at the end of the buffer so that
it is less confusing.
| -rw-r--r-- | sss_client/group.c | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/sss_client/group.c b/sss_client/group.c index 4ba11e30..61b1e487 100644 --- a/sss_client/group.c +++ b/sss_client/group.c @@ -80,7 +80,6 @@ static int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr, ssize_t dlen; char *sbuf; uint32_t mem_num; - int err; if (*len < 11) { /* not enough space for data, bad packet */ return EBADMSG; @@ -129,10 +128,10 @@ static int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr, /* now members */ pr->result->gr_mem = (char **)&(pr->buffer[i]); ptmem = sizeof(char *) * (mem_num + 1); - dlen -= ptmem; - if (0 > dlen) { /* not enough mem in buffer */ + if (ptmem > dlen) { return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */ } + dlen -= ptmem; ptmem += i; pr->result->gr_mem[mem_num] = NULL; /* terminate array */ @@ -140,19 +139,19 @@ static int sss_nss_getgr_readrep(struct sss_nss_gr_rep *pr, pr->result->gr_mem[l] = &(pr->buffer[ptmem]); while ((slen > i) && (dlen > 0)) { pr->buffer[ptmem] = sbuf[i]; + if (pr->buffer[ptmem] == '\0') break; i++; dlen--; - if (pr->buffer[ptmem] == '\0') break; ptmem++; } - if (pr->buffer[ptmem] != '\0') { - if (slen <= i) { /* premature end of buf */ - return EBADMSG; - } - if (dlen <= 0) { /* not enough memory */ - return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */ - } + if (slen <= i) { /* premature end of buf */ + return EBADMSG; } + if (dlen <= 0) { /* not enough memory */ + return ERANGE; /* not ENOMEM, ERANGE is what glibc looks for */ + } + i++; + dlen--; ptmem++; } |