import 1.27 to fix buffer overflow:

check size of rlen Obtained from: Heimdal CVS
svn path=/vendor-crypto/heimdal/dist/; revision=105672
2002-10-22 02:13:32 +00:00 · 2002-10-22 02:13:32 +00:00 · 5ead950622 · 2020-12-20 02:59:44 +00:00
commit 5ead950622
parent 1b3f4135a5
1 changed files with 8 additions and 1 deletions
--- a/crypto/heimdal/kadmin/version4.c
+++ b/crypto/heimdal/kadmin/version4.c
@ -41,7 +41,7 @@
 #include <krb_err.h>
 #include <kadm_err.h>

-RCSID("$Id: version4.c,v 1.26 2002/09/10 15:20:46 joda Exp $");
+RCSID("$Id: version4.c,v 1.27 2002/10/21 12:35:07 joda Exp $");

 #define KADM_NO_OPCODE -1
 #define KADM_NO_ENCRYPT -2
@ -822,6 +822,13 @@ decode_packet(krb5_context context,
    off += _krb5_get_int(msg + off, &rlen, 4);
    memset(&authent, 0, sizeof(authent));
    authent.length = message.length - rlen - KADM_VERSIZE - 4;
+
+    if(authent.length >= MAX_KTXT_LEN) {
+	krb5_warnx(context, "received bad rlen (%lu)", (unsigned long)rlen);
+	make_you_loose_packet (KADM_LENGTH_ERROR, reply);
+	return;
+    }
+
    memcpy(authent.dat, (char*)msg + off, authent.length);
    off += authent.length;