Author: dfr
Date: Tue Apr 25 10:29:08 2017
New Revision: 317402
URL: https://svnweb.freebsd.org/changeset/base/317402
Log:
Fix a potential problem where we might try to shift by more than 31 bits
CID: 1198859
Modified:
head/lib/librpcsec_gss/svc_rpcsec_gss.c
Modified: head/lib/librpcsec_gss/svc_rpcsec_gss.c
==============================================================================
--- head/lib/librpcsec_gss/svc_rpcsec_gss.c Tue Apr 25 09:08:44 2017
(r317401)
+++ head/lib/librpcsec_gss/svc_rpcsec_gss.c Tue Apr 25 10:29:08 2017
(r317402)
@@ -913,7 +913,9 @@ svc_rpc_gss_update_seq(struct svc_rpc_gs
{
int offset, i, word, bit;
uint32_t carry, newcarry;
+ uint32_t* maskp;
+ maskp = client->cl_seqmask;
if (seq > client->cl_seqlast) {
/*
* This request has a sequence number greater
@@ -923,28 +925,29 @@ svc_rpc_gss_update_seq(struct svc_rpc_gs
* number)
*/
offset = seq - client->cl_seqlast;
- while (offset > 32) {
+ while (offset >= 32) {
for (i = (SVC_RPC_GSS_SEQWINDOW / 32) - 1;
i > 0; i--) {
- client->cl_seqmask[i] = client->cl_seqmask[i-1];
+ maskp[i] = maskp[i-1];
}
- client->cl_seqmask[0] = 0;
+ maskp[0] = 0;
offset -= 32;
}
- carry = 0;
- for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) {
- newcarry = client->cl_seqmask[i] >> (32 - offset);
- client->cl_seqmask[i] =
- (client->cl_seqmask[i] << offset) | carry;
- carry = newcarry;
+ if (offset > 0) {
+ carry = 0;
+ for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) {
+ newcarry = maskp[i] >> (32 - offset);
+ maskp[i] = (maskp[i] << offset) | carry;
+ carry = newcarry;
+ }
}
- client->cl_seqmask[0] |= 1;
+ maskp[0] |= 1;
client->cl_seqlast = seq;
} else {
offset = client->cl_seqlast - seq;
word = offset / 32;
bit = offset % 32;
- client->cl_seqmask[word] |= (1 << bit);
+ maskp[word] |= (1 << bit);
}
}
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
