krb5 commit: Fix incorrect recv() size calculation in libkrad
Greg Hudson
ghudson at mit.edu
Wed Jun 22 13:26:16 EDT 2016
https://github.com/krb5/krb5/commit/c969e8a37617e9c7743a28177dd3808f7d08cee9
commit c969e8a37617e9c7743a28177dd3808f7d08cee9
Author: Nathaniel McCallum <npmccallum at redhat.com>
Date: Tue Jun 21 16:12:36 2016 -0400
Fix incorrect recv() size calculation in libkrad
Before this patch libkrad would always subtract the existing buffer
length from pktlen before passing it to recv(). In the case of stream
sockets, this is incorrect since krad_packet_bytes_needed() already
performs this calculation. Subtracting the buffer length twice could
cause integer underflow on the len parameter to recv().
ticket: 8430 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
src/lib/krad/remote.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index aaabffd..df3de3a 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -315,7 +315,7 @@ on_io_read(krad_remote *rr)
request *tmp, *r;
int i;
- pktlen = sizeof(rr->buffer_);
+ pktlen = sizeof(rr->buffer_) - rr->buffer.length;
if (rr->info->ai_socktype == SOCK_STREAM) {
pktlen = krad_packet_bytes_needed(&rr->buffer);
if (pktlen < 0) {
@@ -328,7 +328,7 @@ on_io_read(krad_remote *rr)
/* Read the packet. */
i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
- pktlen - rr->buffer.length, 0);
+ pktlen, 0);
if (i < 0) {
/* Should we try again? */
if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)
More information about the cvs-krb5
mailing list