mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-25 03:54:17 +01:00
Fix a potential problem where we might try to shift by more than 31 bits
CID: 1198859
This commit is contained in:
parent
1e9e374199
commit
11bc2c1ca7
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=317402
@ -913,7 +913,9 @@ svc_rpc_gss_update_seq(struct svc_rpc_gss_client *client, uint32_t seq)
|
||||
{
|
||||
int offset, i, word, bit;
|
||||
uint32_t carry, newcarry;
|
||||
uint32_t* maskp;
|
||||
|
||||
maskp = client->cl_seqmask;
|
||||
if (seq > client->cl_seqlast) {
|
||||
/*
|
||||
* This request has a sequence number greater
|
||||
@ -923,28 +925,29 @@ svc_rpc_gss_update_seq(struct svc_rpc_gss_client *client, uint32_t seq)
|
||||
* number)
|
||||
*/
|
||||
offset = seq - client->cl_seqlast;
|
||||
while (offset > 32) {
|
||||
while (offset >= 32) {
|
||||
for (i = (SVC_RPC_GSS_SEQWINDOW / 32) - 1;
|
||||
i > 0; i--) {
|
||||
client->cl_seqmask[i] = client->cl_seqmask[i-1];
|
||||
maskp[i] = maskp[i-1];
|
||||
}
|
||||
client->cl_seqmask[0] = 0;
|
||||
maskp[0] = 0;
|
||||
offset -= 32;
|
||||
}
|
||||
carry = 0;
|
||||
for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) {
|
||||
newcarry = client->cl_seqmask[i] >> (32 - offset);
|
||||
client->cl_seqmask[i] =
|
||||
(client->cl_seqmask[i] << offset) | carry;
|
||||
carry = newcarry;
|
||||
if (offset > 0) {
|
||||
carry = 0;
|
||||
for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) {
|
||||
newcarry = maskp[i] >> (32 - offset);
|
||||
maskp[i] = (maskp[i] << offset) | carry;
|
||||
carry = newcarry;
|
||||
}
|
||||
}
|
||||
client->cl_seqmask[0] |= 1;
|
||||
maskp[0] |= 1;
|
||||
client->cl_seqlast = seq;
|
||||
} else {
|
||||
offset = client->cl_seqlast - seq;
|
||||
word = offset / 32;
|
||||
bit = offset % 32;
|
||||
client->cl_seqmask[word] |= (1 << bit);
|
||||
maskp[word] |= (1 << bit);
|
||||
}
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user