|
 |
ecf709 |
From e7c9ff18f41d9951aff3c99dca7db1871e53cfaf Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
ecf709 |
Date: Tue, 28 Feb 2017 14:19:53 +0100
|
|
|
ecf709 |
Subject: [PATCH 13/15] nss: allow larger buffer for certificate based requests
|
|
|
ecf709 |
|
|
|
ecf709 |
To make sure larger certificates can be processed as well the maximal
|
|
|
ecf709 |
buffer size is increased for requests by certificate.
|
|
|
ecf709 |
|
|
|
ecf709 |
Related to https://pagure.io/SSSD/sssd/issue/3050
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ecf709 |
---
|
|
|
ecf709 |
src/responder/common/responder_packet.c | 21 ++++++++++++++++++++-
|
|
|
ecf709 |
src/responder/common/responder_packet.h | 1 +
|
|
|
ecf709 |
2 files changed, 21 insertions(+), 1 deletion(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/responder/common/responder_packet.c b/src/responder/common/responder_packet.c
|
|
|
ecf709 |
index 4f5e110837eb76609d31a77c62a00e00530ffc90..cc4d66995965cca4c86a80c31d2afd4c9ac3e0e4 100644
|
|
|
ecf709 |
--- a/src/responder/common/responder_packet.c
|
|
|
ecf709 |
+++ b/src/responder/common/responder_packet.c
|
|
|
ecf709 |
@@ -179,6 +179,8 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
|
|
ecf709 |
size_t rb;
|
|
|
ecf709 |
size_t len;
|
|
|
ecf709 |
void *buf;
|
|
|
ecf709 |
+ size_t new_len;
|
|
|
ecf709 |
+ int ret;
|
|
|
ecf709 |
|
|
|
ecf709 |
buf = (uint8_t *)packet->buffer + packet->iop;
|
|
|
ecf709 |
if (packet->iop > 4) len = sss_packet_get_len(packet) - packet->iop;
|
|
|
ecf709 |
@@ -205,7 +207,24 @@ int sss_packet_recv(struct sss_packet *packet, int fd)
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
if (sss_packet_get_len(packet) > packet->memsize) {
|
|
|
ecf709 |
- return EINVAL;
|
|
|
ecf709 |
+ /* Allow certificate based requests to use larger buffer but not
|
|
|
ecf709 |
+ * larger than SSS_CERT_PACKET_MAX_RECV_SIZE. Due to the way
|
|
|
ecf709 |
+ * sss_packet_grow() works the packet len must be set to '0' first and
|
|
|
ecf709 |
+ * then grow to the expected size. */
|
|
|
ecf709 |
+ if ((sss_packet_get_cmd(packet) == SSS_NSS_GETNAMEBYCERT
|
|
|
ecf709 |
+ || sss_packet_get_cmd(packet) == SSS_NSS_GETLISTBYCERT)
|
|
|
ecf709 |
+ && packet->memsize < SSS_CERT_PACKET_MAX_RECV_SIZE
|
|
|
ecf709 |
+ && (new_len = sss_packet_get_len(packet))
|
|
|
ecf709 |
+ < SSS_CERT_PACKET_MAX_RECV_SIZE) {
|
|
|
ecf709 |
+ new_len = sss_packet_get_len(packet);
|
|
|
ecf709 |
+ sss_packet_set_len(packet, 0);
|
|
|
ecf709 |
+ ret = sss_packet_grow(packet, new_len);
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+ } else {
|
|
|
ecf709 |
+ return EINVAL;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
packet->iop += rb;
|
|
|
ecf709 |
diff --git a/src/responder/common/responder_packet.h b/src/responder/common/responder_packet.h
|
|
|
ecf709 |
index 3ad0eee28477e446c9e4996617beb55f32923d47..afceb4aaefa40fd86bdfde820c92c09b65cd8702 100644
|
|
|
ecf709 |
--- a/src/responder/common/responder_packet.h
|
|
|
ecf709 |
+++ b/src/responder/common/responder_packet.h
|
|
|
ecf709 |
@@ -25,6 +25,7 @@
|
|
|
ecf709 |
#include "sss_client/sss_cli.h"
|
|
|
ecf709 |
|
|
|
ecf709 |
#define SSS_PACKET_MAX_RECV_SIZE 1024
|
|
|
ecf709 |
+#define SSS_CERT_PACKET_MAX_RECV_SIZE ( 10 * SSS_PACKET_MAX_RECV_SIZE )
|
|
|
ecf709 |
|
|
|
ecf709 |
struct sss_packet;
|
|
|
ecf709 |
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|