Hi everyone, The attached patch fixes potential packet buffer overflow with certain body sizes. Found while reading through SSSD code.
Nick
>From d708e1915e4464db9a2b0990c732c4e2edb0c0df Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov <[email protected]> Date: Thu, 7 Jul 2016 12:48:42 +0300 Subject: [PATCH] Fix packet size calculation in sss_packet_new Use division instead of modulo while rounding the created packet size up to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes potentially packet buffer overflows with certain body sizes. --- src/responder/common/responder_packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c index 1a201c1..4f5e110 100644 --- a/src/responder/common/responder_packet.c +++ b/src/responder/common/responder_packet.c @@ -75,7 +75,7 @@ int sss_packet_new(TALLOC_CTX *mem_ctx, size_t size, if (!packet) return ENOMEM; if (size) { - int n = (size + SSS_NSS_HEADER_SIZE) % SSSSRV_PACKET_MEM_SIZE; + int n = (size + SSS_NSS_HEADER_SIZE) / SSSSRV_PACKET_MEM_SIZE; packet->memsize = (n + 1) * SSSSRV_PACKET_MEM_SIZE; } else { packet->memsize = SSSSRV_PACKET_MEM_SIZE; -- 2.8.1
_______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
