|
|
8c1676 |
From c969e8a37617e9c7743a28177dd3808f7d08cee9 Mon Sep 17 00:00:00 2001
|
|
|
8c1676 |
From: Nathaniel McCallum <npmccallum@redhat.com>
|
|
|
8c1676 |
Date: Tue, 21 Jun 2016 16:12:36 -0400
|
|
|
8c1676 |
Subject: [PATCH] Fix incorrect recv() size calculation in libkrad
|
|
|
8c1676 |
|
|
|
8c1676 |
Before this patch libkrad would always subtract the existing buffer
|
|
|
8c1676 |
length from pktlen before passing it to recv(). In the case of stream
|
|
|
8c1676 |
sockets, this is incorrect since krad_packet_bytes_needed() already
|
|
|
8c1676 |
performs this calculation. Subtracting the buffer length twice could
|
|
|
8c1676 |
cause integer underflow on the len parameter to recv().
|
|
|
8c1676 |
|
|
|
8c1676 |
ticket: 8430 (new)
|
|
|
8c1676 |
target_version: 1.14-next
|
|
|
8c1676 |
target_version: 1.13-next
|
|
|
8c1676 |
tags: pullup
|
|
|
8c1676 |
---
|
|
|
8c1676 |
src/lib/krad/remote.c | 4 ++--
|
|
|
8c1676 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
8c1676 |
|
|
|
8c1676 |
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
|
|
8c1676 |
index aaabffd..df3de3a 100644
|
|
|
8c1676 |
--- a/src/lib/krad/remote.c
|
|
|
8c1676 |
+++ b/src/lib/krad/remote.c
|
|
|
8c1676 |
@@ -315,7 +315,7 @@ on_io_read(krad_remote *rr)
|
|
|
8c1676 |
request *tmp, *r;
|
|
|
8c1676 |
int i;
|
|
|
8c1676 |
|
|
|
8c1676 |
- pktlen = sizeof(rr->buffer_);
|
|
|
8c1676 |
+ pktlen = sizeof(rr->buffer_) - rr->buffer.length;
|
|
|
8c1676 |
if (rr->info->ai_socktype == SOCK_STREAM) {
|
|
|
8c1676 |
pktlen = krad_packet_bytes_needed(&rr->buffer);
|
|
|
8c1676 |
if (pktlen < 0) {
|
|
|
8c1676 |
@@ -328,7 +328,7 @@ on_io_read(krad_remote *rr)
|
|
|
8c1676 |
|
|
|
8c1676 |
/* Read the packet. */
|
|
|
8c1676 |
i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
|
|
|
8c1676 |
- pktlen - rr->buffer.length, 0);
|
|
|
8c1676 |
+ pktlen, 0);
|
|
|
8c1676 |
if (i < 0) {
|
|
|
8c1676 |
/* Should we try again? */
|
|
|
8c1676 |
if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)
|
|
|
8c1676 |
--
|
|
|
8c1676 |
2.8.1
|
|
|
8c1676 |
|