summaryrefslogtreecommitdiff
path: root/src/responder/autofs
diff options
context:
space:
mode:
authorJan Cholasta <jcholast@redhat.com>2013-01-23 12:26:17 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-01-23 13:36:32 +0100
commit2bd514cfde1938b1e245af11c9b548d58d49b325 (patch)
treea332e7542d06f19f40c7e268372d17e78321fc76 /src/responder/autofs
parent5ff1c3c5a12930692cb6284d14f7fda3a974af8e (diff)
downloadsssd-2bd514cfde1938b1e245af11c9b548d58d49b325.tar.gz
sssd-2bd514cfde1938b1e245af11c9b548d58d49b325.tar.bz2
sssd-2bd514cfde1938b1e245af11c9b548d58d49b325.zip
Check that strings do not go beyond the end of the packet body in autofs and SSH requests.
This fixes CVE-2013-0220. https://fedorahosted.org/sssd/ticket/1781
Diffstat (limited to 'src/responder/autofs')
-rw-r--r--src/responder/autofs/autofssrv_cmd.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c
index 7443ebbf..e1f3aeda 100644
--- a/src/responder/autofs/autofssrv_cmd.c
+++ b/src/responder/autofs/autofssrv_cmd.c
@@ -940,7 +940,7 @@ sss_autofs_cmd_getautomntent(struct cli_ctx *client)
SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
- if (namelen == 0) {
+ if (namelen == 0 || namelen > blen - c) {
ret = EINVAL;
goto done;
}
@@ -1215,7 +1215,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
/* FIXME - split out a function to get string from <len><str>\0 */
SAFEALIGN_COPY_UINT32_CHECK(&namelen, body+c, blen, &c);
- if (namelen == 0) {
+ if (namelen == 0 || namelen > blen - c) {
ret = EINVAL;
goto done;
}
@@ -1239,7 +1239,7 @@ sss_autofs_cmd_getautomntbyname(struct cli_ctx *client)
/* FIXME - split out a function to get string from <len><str>\0 */
SAFEALIGN_COPY_UINT32_CHECK(&keylen, body+c, blen, &c);
- if (keylen == 0) {
+ if (keylen == 0 || keylen > blen - c) {
ret = EINVAL;
goto done;
}