From cb2f9e4c355d70a50cdac75708da62d7d4ace0c4 Mon Sep 17 00:00:00 2001 From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> Date: Thu, 7 Jul 2016 12:48:42 +0300 Subject: [PATCH 24/24] Fix packet size calculation in sss_packet_new MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use division instead of modulo while rounding the created packet size up to a multiple of SSSSRV_PACKET_MEM_SIZE in sss_packet_new. This fixes potentially packet buffer overflows with certain body sizes. Reviewed-by: Pavel Březina <pbrezina@redhat.com> (cherry picked from commit 740bfe1a5bf519de8e13bdce5c4143b0f24d7433) (cherry picked from commit 6d17ccbeef667d9151a2f1f67f3c2b38d0bf0a4c) --- src/responder/common/responder_packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c index 1a201c15c5acc0c045f71e15c578a5c039045d3d..4f5e110837eb76609d31a77c62a00e00530ffc90 100644 --- a/src/responder/common/responder_packet.c +++ b/src/responder/common/responder_packet.c @@ -75,7 +75,7 @@ int sss_packet_new(TALLOC_CTX *mem_ctx, size_t size, if (!packet) return ENOMEM; if (size) { - int n = (size + SSS_NSS_HEADER_SIZE) % SSSSRV_PACKET_MEM_SIZE; + int n = (size + SSS_NSS_HEADER_SIZE) / SSSSRV_PACKET_MEM_SIZE; packet->memsize = (n + 1) * SSSSRV_PACKET_MEM_SIZE; } else { packet->memsize = SSSSRV_PACKET_MEM_SIZE; -- 2.7.4