Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 25 Apr 2017 10:29:08 +0000 (UTC)
From:      Doug Rabson <dfr@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r317402 - head/lib/librpcsec_gss
Message-ID:  <201704251029.v3PAT8tw017325@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: dfr
Date: Tue Apr 25 10:29:08 2017
New Revision: 317402
URL: https://svnweb.freebsd.org/changeset/base/317402

Log:
  Fix a potential problem where we might try to shift by more than 31 bits
  
  CID:    1198859

Modified:
  head/lib/librpcsec_gss/svc_rpcsec_gss.c

Modified: head/lib/librpcsec_gss/svc_rpcsec_gss.c
==============================================================================
--- head/lib/librpcsec_gss/svc_rpcsec_gss.c	Tue Apr 25 09:08:44 2017	(r317401)
+++ head/lib/librpcsec_gss/svc_rpcsec_gss.c	Tue Apr 25 10:29:08 2017	(r317402)
@@ -913,7 +913,9 @@ svc_rpc_gss_update_seq(struct svc_rpc_gs
 {
 	int offset, i, word, bit;
 	uint32_t carry, newcarry;
+	uint32_t* maskp;
 
+	maskp = client->cl_seqmask;
 	if (seq > client->cl_seqlast) {
 		/*
 		 * This request has a sequence number greater
@@ -923,28 +925,29 @@ svc_rpc_gss_update_seq(struct svc_rpc_gs
 		 * number)
 		 */
 		offset = seq - client->cl_seqlast;
-		while (offset > 32) {
+		while (offset >= 32) {
 			for (i = (SVC_RPC_GSS_SEQWINDOW / 32) - 1;
 			     i > 0; i--) {
-				client->cl_seqmask[i] = client->cl_seqmask[i-1];
+				maskp[i] = maskp[i-1];
 			}
-			client->cl_seqmask[0] = 0;
+			maskp[0] = 0;
 			offset -= 32;
 		}
-		carry = 0;
-		for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) {
-			newcarry = client->cl_seqmask[i] >> (32 - offset);
-			client->cl_seqmask[i] =
-				(client->cl_seqmask[i] << offset) | carry;
-			carry = newcarry;
+		if (offset > 0) {
+			carry = 0;
+			for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) {
+				newcarry = maskp[i] >> (32 - offset);
+				maskp[i] = (maskp[i] << offset) | carry;
+				carry = newcarry;
+			}
 		}
-		client->cl_seqmask[0] |= 1;
+		maskp[0] |= 1;
 		client->cl_seqlast = seq;
 	} else {
 		offset = client->cl_seqlast - seq;
 		word = offset / 32;
 		bit = offset % 32;
-		client->cl_seqmask[word] |= (1 << bit);
+		maskp[word] |= (1 << bit);
 	}
 
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201704251029.v3PAT8tw017325>