From 2fc3525fdf5c1da73eefeebcd7280c4404d5fd5f Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Tue, 21 Jan 2014 18:45:56 +0100
Subject: [PATCH] Don't read uninitialized memory in client packet length check

Before calling PKL_ReplyLength() check that the packet has full header.
This didn't change the outcome of the test if the packet was shorter as
the invalid result from PKL_ReplyLength() was either larger than length
of the packet or smaller than header length, failing the length check in
both cases.
---
 client.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/client.c b/client.c
index 8ce3f45..b0939a2 100644
--- a/client.c
+++ b/client.c
@@ -1366,7 +1366,11 @@ submit_request(CMD_Request *request, CMD_Reply *reply, int *reply_auth_ok)
       } else {
         
         read_length = recvfrom_status;
-        expected_length = PKL_ReplyLength(reply);
+        if (read_length >= offsetof(CMD_Reply, data)) {
+          expected_length = PKL_ReplyLength(reply);
+        } else {
+          expected_length = 0;
+        }
 
         bad_length = (read_length < expected_length ||
                       expected_length < offsetof(CMD_Reply, data));