Fix incorrect recv() size calculation in libkrad

This commit is contained in:
Robbie Harwood 2016-06-23 16:07:50 +00:00
parent 802e825d17
commit e165eeccda
2 changed files with 50 additions and 1 deletions

View File

@ -0,0 +1,44 @@
From c969e8a37617e9c7743a28177dd3808f7d08cee9 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Tue, 21 Jun 2016 16:12:36 -0400
Subject: [PATCH] Fix incorrect recv() size calculation in libkrad
Before this patch libkrad would always subtract the existing buffer
length from pktlen before passing it to recv(). In the case of stream
sockets, this is incorrect since krad_packet_bytes_needed() already
performs this calculation. Subtracting the buffer length twice could
cause integer underflow on the len parameter to recv().
ticket: 8430 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
---
src/lib/krad/remote.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index aaabffd..df3de3a 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -315,7 +315,7 @@ on_io_read(krad_remote *rr)
request *tmp, *r;
int i;
- pktlen = sizeof(rr->buffer_);
+ pktlen = sizeof(rr->buffer_) - rr->buffer.length;
if (rr->info->ai_socktype == SOCK_STREAM) {
pktlen = krad_packet_bytes_needed(&rr->buffer);
if (pktlen < 0) {
@@ -328,7 +328,7 @@ on_io_read(krad_remote *rr)
/* Read the packet. */
i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
- pktlen - rr->buffer.length, 0);
+ pktlen, 0);
if (i < 0) {
/* Should we try again? */
if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)
--
2.8.1

View File

@ -13,7 +13,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.14.1
Release: 7%{?dist}
Release: 8%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@ -72,6 +72,7 @@ Patch164: krb5-1.15-kdc_send_receive_hooks.patch
Patch165: krb5-1.15-kdc_hooks_test.patch
Patch166: krb5-1.14.3-fix_otp_as_key.patch
Patch167: krb5-1.14.3-krad-recv.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
@ -271,6 +272,7 @@ ln NOTICE LICENSE
%patch165 -p1 -b .kdc_hooks_test
%patch166 -p1 -b .fix_otp_as_key
%patch167 -p1 -b .krad-recv
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -801,6 +803,9 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Wed Jun 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-8
- Fix incorrect recv() size calculation in libkrad
* Thu Jun 16 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-7
- Separate out the kadm5 libs