From 0ee0de08a6b389a7593198c918dc894c87dcbe96 Mon Sep 17 00:00:00 2001

From: Nathaniel McCallum <npmccallum@redhat.com>

Date: Fri, 25 Sep 2015 11:35:03 -0400

Subject: [PATCH] Fix an integer underflow bug in libotp

Temporarily storing the offset time in an unsigned integer causes the

value of the offset to underflow when a (valid) negative offset value

is generated. Using a signed variable avoids this problem.

https://fedorahosted.org/freeipa/ticket/5333

Reviewed-By: Tomas Babej <tbabej@redhat.com>

---

 daemons/ipa-slapi-plugins/libotp/otp_token.c | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/libotp/otp_token.c b/daemons/ipa-slapi-plugins/libotp/otp_token.c

index 9b90c6a1137b468103d73cd85fd7e0fcafcee616..a3cbfb0621c071f8addb29f7ce02f870a807c61d 100644

--- a/daemons/ipa-slapi-plugins/libotp/otp_token.c

+++ b/daemons/ipa-slapi-plugins/libotp/otp_token.c

@@ -199,10 +199,10 @@ static bool validate(struct otp_token *token, time_t now, ssize_t step,

     case TYPE_TOTP:

         /* Perform optional synchronization steps. */

         if (second != NULL) {

-            tmp = (step - now / token->totp.step) * token->totp.step;

-            if (!writeattr(token, T("clockOffset"), tmp))

+            long long off = (step - now / token->totp.step) * token->totp.step;

+            if (!writeattr(token, T("clockOffset"), off))

                 return false;

-            token->totp.offset = tmp;

+            token->totp.offset = off;

         }

         token->totp.watermark = step;

         break;

-- 

2.4.3