From b5aab824886fa8f441291340bdd4e187c562ddd0 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@gmx.de>
Date: Mon, 16 Sep 2013 03:56:53 +0200
Subject: libauth: add sanity check for auth_proxy write size

---
 sys/src/libauth/auth_proxy.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/src/libauth/auth_proxy.c b/sys/src/libauth/auth_proxy.c
index c415c104d..f96350f50 100644
--- a/sys/src/libauth/auth_proxy.c
+++ b/sys/src/libauth/auth_proxy.c
@@ -157,9 +157,10 @@ fauth_proxy(int fd, AuthRpc *rpc, AuthGetkey *getkey, char *params)
 			n = 0;
 			memset(buf, 0, AuthRpcMax);
 			while((ret = dorpc(rpc, "write", buf, n, getkey)) == ARtoosmall){
-				if(atoi(rpc->arg) > AuthRpcMax)
+				m = atoi(rpc->arg);
+				if(m <= n || m > AuthRpcMax)
 					break;
-				m = read(fd, buf + n, atoi(rpc->arg) - n);
+				m = read(fd, buf + n, m - n);
 				if(m <= 0){
 					if(m == 0)
 						werrstr("auth_proxy short read: %s",
-- 
cgit v1.2.3