[29466] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.14]: Fix incorrect recv() size calculation in

daemon@ATHENA.MIT.EDU (Tom Yu)
Wed Jul 6 16:30:52 2016

Date: Wed, 6 Jul 2016 16:30:48 -0400
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201607062030.u66KUmDo007632@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/c0a12661789ac536f0657506f0541dfb4d8a0cd9
commit c0a12661789ac536f0657506f0541dfb4d8a0cd9
Author: Nathaniel McCallum <npmccallum@redhat.com>
Date:   Tue Jun 21 16:12:36 2016 -0400

    Fix incorrect recv() size calculation in libkrad
    
    Before this patch libkrad would always subtract the existing buffer
    length from pktlen before passing it to recv().  In the case of stream
    sockets, this is incorrect since krad_packet_bytes_needed() already
    performs this calculation.  Subtracting the buffer length twice could
    cause integer underflow on the len parameter to recv().
    
    (cherry picked from commit c969e8a37617e9c7743a28177dd3808f7d08cee9)
    
    ticket: 8430
    version_fixed: 1.14.3

 src/lib/krad/remote.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index aaabffd..df3de3a 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -315,7 +315,7 @@ on_io_read(krad_remote *rr)
     request *tmp, *r;
     int i;
 
-    pktlen = sizeof(rr->buffer_);
+    pktlen = sizeof(rr->buffer_) - rr->buffer.length;
     if (rr->info->ai_socktype == SOCK_STREAM) {
         pktlen = krad_packet_bytes_needed(&rr->buffer);
         if (pktlen < 0) {
@@ -328,7 +328,7 @@ on_io_read(krad_remote *rr)
 
     /* Read the packet. */
     i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
-             pktlen - rr->buffer.length, 0);
+             pktlen, 0);
     if (i < 0) {
         /* Should we try again? */
         if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post