Fix a potential problem where we might try to shift by more than 31 bits
CID: 1198859
This commit is contained in:
parent
43d25aa7cd
commit
2eda214c87
@ -913,7 +913,9 @@ svc_rpc_gss_update_seq(struct svc_rpc_gss_client *client, uint32_t seq)
|
||||
{
|
||||
int offset, i, word, bit;
|
||||
uint32_t carry, newcarry;
|
||||
uint32_t* maskp;
|
||||
|
||||
maskp = client->cl_seqmask;
|
||||
if (seq > client->cl_seqlast) {
|
||||
/*
|
||||
* This request has a sequence number greater
|
||||
@ -923,28 +925,29 @@ svc_rpc_gss_update_seq(struct svc_rpc_gss_client *client, uint32_t seq)
|
||||
* number)
|
||||
*/
|
||||
offset = seq - client->cl_seqlast;
|
||||
while (offset > 32) {
|
||||
while (offset >= 32) {
|
||||
for (i = (SVC_RPC_GSS_SEQWINDOW / 32) - 1;
|
||||
i > 0; i--) {
|
||||
client->cl_seqmask[i] = client->cl_seqmask[i-1];
|
||||
maskp[i] = maskp[i-1];
|
||||
}
|
||||
client->cl_seqmask[0] = 0;
|
||||
maskp[0] = 0;
|
||||
offset -= 32;
|
||||
}
|
||||
if (offset > 0) {
|
||||
carry = 0;
|
||||
for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) {
|
||||
newcarry = client->cl_seqmask[i] >> (32 - offset);
|
||||
client->cl_seqmask[i] =
|
||||
(client->cl_seqmask[i] << offset) | carry;
|
||||
newcarry = maskp[i] >> (32 - offset);
|
||||
maskp[i] = (maskp[i] << offset) | carry;
|
||||
carry = newcarry;
|
||||
}
|
||||
client->cl_seqmask[0] |= 1;
|
||||
}
|
||||
maskp[0] |= 1;
|
||||
client->cl_seqlast = seq;
|
||||
} else {
|
||||
offset = client->cl_seqlast - seq;
|
||||
word = offset / 32;
|
||||
bit = offset % 32;
|
||||
client->cl_seqmask[word] |= (1 << bit);
|
||||
maskp[word] |= (1 << bit);
|
||||
}
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user