From 0ee0de08a6b389a7593198c918dc894c87dcbe96 Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum Date: Fri, 25 Sep 2015 11:35:03 -0400 Subject: [PATCH] Fix an integer underflow bug in libotp Temporarily storing the offset time in an unsigned integer causes the value of the offset to underflow when a (valid) negative offset value is generated. Using a signed variable avoids this problem. https://fedorahosted.org/freeipa/ticket/5333 Reviewed-By: Tomas Babej --- daemons/ipa-slapi-plugins/libotp/otp_token.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c index 9b90c6a1137b468103d73cd85fd7e0fcafcee616..a3cbfb0621c071f8addb29f7ce02f870a807c61d 100644 --- a/daemons/ipa-slapi-plugins/libotp/otp_token.c +++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c @@ -199,10 +199,10 @@ static bool validate(struct otp_token *token, time_t now, ssize_t step, case TYPE_TOTP: /* Perform optional synchronization steps. */ if (second != NULL) { - tmp = (step - now / token->totp.step) * token->totp.step; - if (!writeattr(token, T("clockOffset"), tmp)) + long long off = (step - now / token->totp.step) * token->totp.step; + if (!writeattr(token, T("clockOffset"), off)) return false; - token->totp.offset = tmp; + token->totp.offset = off; } token->totp.watermark = step; break; -- 2.4.3