From e165eeccda5209c3a11833f5198e761964fca5e0 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Jun 23 2016 16:07:51 +0000
Subject: Fix incorrect recv() size calculation in libkrad


---

diff --git a/krb5-1.14.3-krad-recv.patch b/krb5-1.14.3-krad-recv.patch
new file mode 100644
index 0000000..9016c88
--- /dev/null
+++ b/krb5-1.14.3-krad-recv.patch
@@ -0,0 +1,44 @@
+From c969e8a37617e9c7743a28177dd3808f7d08cee9 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Tue, 21 Jun 2016 16:12:36 -0400
+Subject: [PATCH] Fix incorrect recv() size calculation in libkrad
+
+Before this patch libkrad would always subtract the existing buffer
+length from pktlen before passing it to recv().  In the case of stream
+sockets, this is incorrect since krad_packet_bytes_needed() already
+performs this calculation.  Subtracting the buffer length twice could
+cause integer underflow on the len parameter to recv().
+
+ticket: 8430 (new)
+target_version: 1.14-next
+target_version: 1.13-next
+tags: pullup
+---
+ src/lib/krad/remote.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
+index aaabffd..df3de3a 100644
+--- a/src/lib/krad/remote.c
++++ b/src/lib/krad/remote.c
+@@ -315,7 +315,7 @@ on_io_read(krad_remote *rr)
+     request *tmp, *r;
+     int i;
+ 
+-    pktlen = sizeof(rr->buffer_);
++    pktlen = sizeof(rr->buffer_) - rr->buffer.length;
+     if (rr->info->ai_socktype == SOCK_STREAM) {
+         pktlen = krad_packet_bytes_needed(&rr->buffer);
+         if (pktlen < 0) {
+@@ -328,7 +328,7 @@ on_io_read(krad_remote *rr)
+ 
+     /* Read the packet. */
+     i = recv(verto_get_fd(rr->io), rr->buffer.data + rr->buffer.length,
+-             pktlen - rr->buffer.length, 0);
++             pktlen, 0);
+     if (i < 0) {
+         /* Should we try again? */
+         if (errno == EWOULDBLOCK || errno == EAGAIN || errno == EINTR)
+-- 
+2.8.1
+
diff --git a/krb5.spec b/krb5.spec
index 6cf2b50..f85c1d2 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -13,7 +13,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.14.1
-Release: 7%{?dist}
+Release: 8%{?dist}
 # - Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
 # - The sources below are stored in a lookaside cache. Upload with
@@ -72,6 +72,7 @@ Patch164: krb5-1.15-kdc_send_receive_hooks.patch
 Patch165: krb5-1.15-kdc_hooks_test.patch
 
 Patch166: krb5-1.14.3-fix_otp_as_key.patch
+Patch167: krb5-1.14.3-krad-recv.patch
 
 License: MIT
 URL: http://web.mit.edu/kerberos/www/
@@ -271,6 +272,7 @@ ln NOTICE LICENSE
 %patch165 -p1 -b .kdc_hooks_test
 
 %patch166 -p1 -b .fix_otp_as_key
+%patch167 -p1 -b .krad-recv
 
 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@@ -801,6 +803,9 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Wed Jun 22 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-8
+- Fix incorrect recv() size calculation in libkrad
+
 * Thu Jun 16 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.1-7
 - Separate out the kadm5 libs