From: Nathaniel McCallum Date: Tue, 21 Jun 2016 20:12:36 +0000 (-0400) Subject: Fix incorrect recv() size calculation in libkrad X-Git-Tag: krb5-1.15-beta1~162 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c969e8a37617e9c7743a28177dd3808f7d08cee9;p=thirdparty%2Fkrb5.git Fix incorrect recv() size calculation in libkrad Before this patch libkrad would always subtract the existing buffer length from pktlen before passing it to recv(). In the case of stream sockets, this is incorrect since krad_packet_bytes_needed() already performs this calculation. Subtracting the buffer length twice could cause integer underflow on the len parameter to recv(). ticket: 8430 (new) target_version: 1.14-next target_version: 1.13-next tags: pullup --- diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c index aaabffd4f1..df3de3ad22 100644 --- a/src/lib/krad/remote.c +++ b/src/lib/krad/remote.c @@ -315,7 +315,7 @@ on_io_read(krad_remote *rr) request *tmp, *r; int i; - pktlen = sizeof(rr->buffer_); + pktlen = sizeof(rr->buffer_) - rr->buffer.length; if (rr->info->ai_socktype == SOCK_STREAM) { pktlen = krad_packet_bytes_needed(&rr->buffer); if (pktlen < 0) { @@ -328,7 +328,7 @@ on_io_read(krad_remote *rr) /* Read the packet. */ i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length, - pktlen - rr->buffer.length, 0); + pktlen, 0); if (i < 0) { /* Should we try again? */ if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)