Fix a potential problem where we might try to shift by more than 31 bits

CID:    1198859
This commit is contained in:
dfr 2017-04-25 10:29:08 +00:00
parent 43d25aa7cd
commit 2eda214c87

View File

@ -913,7 +913,9 @@ svc_rpc_gss_update_seq(struct svc_rpc_gss_client *client, uint32_t seq)
{
int offset, i, word, bit;
uint32_t carry, newcarry;
uint32_t* maskp;
maskp = client->cl_seqmask;
if (seq > client->cl_seqlast) {
/*
* This request has a sequence number greater
@ -923,28 +925,29 @@ svc_rpc_gss_update_seq(struct svc_rpc_gss_client *client, uint32_t seq)
* number)
*/
offset = seq - client->cl_seqlast;
while (offset > 32) {
while (offset >= 32) {
for (i = (SVC_RPC_GSS_SEQWINDOW / 32) - 1;
i > 0; i--) {
client->cl_seqmask[i] = client->cl_seqmask[i-1];
maskp[i] = maskp[i-1];
}
client->cl_seqmask[0] = 0;
maskp[0] = 0;
offset -= 32;
}
if (offset > 0) {
carry = 0;
for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) {
newcarry = client->cl_seqmask[i] >> (32 - offset);
client->cl_seqmask[i] =
(client->cl_seqmask[i] << offset) | carry;
newcarry = maskp[i] >> (32 - offset);
maskp[i] = (maskp[i] << offset) | carry;
carry = newcarry;
}
client->cl_seqmask[0] |= 1;
}
maskp[0] |= 1;
client->cl_seqlast = seq;
} else {
offset = client->cl_seqlast - seq;
word = offset / 32;
bit = offset % 32;
client->cl_seqmask[word] |= (1 << bit);
maskp[word] |= (1 << bit);
}
}