Compare_principal_realm ran a sanity check on UPN size and realm size,
but the check was not correct in case the realms were different and the
UPN realm was much shorter then the "realm" parameter.
>From 153208abeb8d325026084b03371104a4b4cdda2b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Mon, 19 Nov 2012 21:38:02 +0100
Subject: [PATCH] KRB5: Fix UPN size check
compare_principal_realm ran a sanity check on UPN size and realm size,
but the check was not correct in case the realms were different and the
UPN realm was much shorter then the "realm" parameter.
---
src/providers/krb5/krb5_common.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index
ee3d72525cfbe4ebbe68e5724c2f46ef220babab..47a16f79f97e320021c601bd2f7f6930c4502e52
100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -910,10 +910,7 @@ errno_t compare_principal_realm(const char *upn, const
char *realm,
realm_len = strlen(realm);
at_sign = strchr(upn, '@');
- /* if coming from the same realm the upn must be at least the size of the
- * realm plus 1 for the '@' char. */
- if (upn_len == 0 || realm_len == 0 || upn_len <= realm_len + 1 ||
- at_sign == NULL) {
+ if (upn_len == 0 || realm_len == 0 || at_sign == NULL) {
return EINVAL;
}
@@ -923,5 +920,11 @@ errno_t compare_principal_realm(const char *upn, const
char *realm,
*different_realm = true;
}
+ /* if coming from the same realm the upn must be at least the size of the
+ * realm plus 1 for the '@' char. */
+ if (different_realm == false && upn_len <= realm_len + 1) {
+ return EINVAL;
+ }
+
return EOK;
}
--
1.8.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
