From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Tue, 21 Jun 2016 20:12:36 +0000 (-0400)
Subject: Fix incorrect recv() size calculation in libkrad
X-Git-Tag: krb5-1.13.6-final~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5b8dab42d541d2600c76647dedf56251f7f9da33;p=thirdparty%2Fkrb5.git

Fix incorrect recv() size calculation in libkrad

Before this patch libkrad would always subtract the existing buffer
length from pktlen before passing it to recv().  In the case of stream
sockets, this is incorrect since krad_packet_bytes_needed() already
performs this calculation.  Subtracting the buffer length twice could
cause integer underflow on the len parameter to recv().

(cherry picked from commit c969e8a37617e9c7743a28177dd3808f7d08cee9)

ticket: 8430
version_fixed: 1.13.6
tags: -pullup
status: resolved
---

diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index aaabffd4f1..df3de3ad22 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -315,7 +315,7 @@ on_io_read(krad_remote *rr)
     request *tmp, *r;
     int i;
 
-    pktlen = sizeof(rr->buffer_);
+    pktlen = sizeof(rr->buffer_) - rr->buffer.length;
     if (rr->info->ai_socktype == SOCK_STREAM) {
         pktlen = krad_packet_bytes_needed(&rr->buffer);
         if (pktlen < 0) {
@@ -328,7 +328,7 @@ on_io_read(krad_remote *rr)
 
     /* Read the packet. */
     i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
-             pktlen - rr->buffer.length, 0);
+             pktlen, 0);
     if (i < 0) {
         /* Should we try again? */
         if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)