Temporarily storing the offset time in an unsigned integer causes the
value of the offset to underflow when a (valid) negative offset value
is generated. Using a signed variable avoids this problem.
From 41682880a146951dab5d08ed940fb6c447957545 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccal...@redhat.com>
Date: Fri, 25 Sep 2015 11:35:03 -0400
Subject: [PATCH] Fix an integer underflow bug in libotp

Temporarily storing the offset time in an unsigned integer causes the
value of the offset to underflow when a (valid) negative offset value
is generated. Using a signed variable avoids this problem.
---
 daemons/ipa-slapi-plugins/libotp/otp_token.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c
index 9b90c6a1137b468103d73cd85fd7e0fcafcee616..fbe1e3469dd3b1e5ee87bd1802278217d5365be4 100644
--- a/daemons/ipa-slapi-plugins/libotp/otp_token.c
+++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c
@@ -154,7 +154,7 @@ static bool validate(struct otp_token *token, time_t now, ssize_t step,
                      uint32_t first, const uint32_t *second)
 {
     const char *attr;
-    uint32_t tmp;
+    uint32_t code;
 
     /* Calculate the absolute step. */
     switch (token->type) {
@@ -175,18 +175,18 @@ static bool validate(struct otp_token *token, time_t now, ssize_t step,
     }
 
     /* Validate the first code. */
-    if (!hotp(&token->token, step++, &tmp))
+    if (!hotp(&token->token, step++, &code))
         return false;
 
-    if (first != tmp)
+    if (first != code)
         return false;
 
     /* Validate the second code if specified. */
     if (second != NULL) {
-        if (!hotp(&token->token, step++, &tmp))
+        if (!hotp(&token->token, step++, &code))
             return false;
 
-        if (*second != tmp)
+        if (*second != code)
             return false;
     }
 
@@ -199,7 +199,7 @@ static bool validate(struct otp_token *token, time_t now, ssize_t step,
     case TYPE_TOTP:
         /* Perform optional synchronization steps. */
         if (second != NULL) {
-            tmp = (step - now / token->totp.step) * token->totp.step;
+            long long tmp = (step - now / token->totp.step) * token->totp.step;
             if (!writeattr(token, T("clockOffset"), tmp))
                 return false;
             token->totp.offset = tmp;
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to