Fix a potential problem where we might try to shift by more than 31 bits

CID: 1198859
nhuff · Apr 25, 2017 · 11bc2c1 · 11bc2c1
1 parent 1e9e374
commit 11bc2c1
Showing 1 changed file with 14 additions and 11 deletions.
diff --git a/lib/librpcsec_gss/svc_rpcsec_gss.c b/lib/librpcsec_gss/svc_rpcsec_gss.c
@@ -913,7 +913,9 @@ svc_rpc_gss_update_seq(struct svc_rpc_gss_client *client, uint32_t seq)
 {
 	int offset, i, word, bit;
 	uint32_t carry, newcarry;
+	uint32_t* maskp;
 
+	maskp = client->cl_seqmask;
 	if (seq > client->cl_seqlast) {
 		/*
 		 * This request has a sequence number greater
@@ -923,28 +925,29 @@ svc_rpc_gss_update_seq(struct svc_rpc_gss_client *client, uint32_t seq)
 		 * number)
 		 */
 		offset = seq - client->cl_seqlast;
-		while (offset > 32) {
+		while (offset >= 32) {
 			for (i = (SVC_RPC_GSS_SEQWINDOW / 32) - 1;
 			     i > 0; i--) {
-				client->cl_seqmask[i] = client->cl_seqmask[i-1];
+				maskp[i] = maskp[i-1];
 			}
-			client->cl_seqmask[0] = 0;
+			maskp[0] = 0;
 			offset -= 32;
 		}
-		carry = 0;
-		for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) {
-			newcarry = client->cl_seqmask[i] >> (32 - offset);
-			client->cl_seqmask[i] =
-				(client->cl_seqmask[i] << offset) | carry;
-			carry = newcarry;
+		if (offset > 0) {
+			carry = 0;
+			for (i = 0; i < SVC_RPC_GSS_SEQWINDOW / 32; i++) {
+				newcarry = maskp[i] >> (32 - offset);
+				maskp[i] = (maskp[i] << offset) | carry;
+				carry = newcarry;
+			}
 		}
-		client->cl_seqmask[0] |= 1;
+		maskp[0] |= 1;
 		client->cl_seqlast = seq;
 	} else {
 		offset = client->cl_seqlast - seq;
 		word = offset / 32;
 		bit = offset % 32;
-		client->cl_seqmask[word] |= (1 << bit);
+		maskp[word] |= (1 << bit);
 	}
 
 }