aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAssar Westerlund <assar@FreeBSD.org>2002-10-22 03:43:30 +0000
committerAssar Westerlund <assar@FreeBSD.org>2002-10-22 03:43:30 +0000
commitfe258bf370887d15f9253c46c9e95790b8605786 (patch)
tree28afedfaf1a3bfd0cb2ca97099343a74f51db8af
parent5bd5e7910f140dc9c19049b5fb10adaf7163db94 (diff)
downloadsrc-fe258bf370887d15f9253c46c9e95790b8605786.tar.gz
src-fe258bf370887d15f9253c46c9e95790b8605786.zip
import 1.27 to fix buffer overflow:
check size of rlen Approved by: security-officer Obtained from: Heimdal CVS
Notes
Notes: svn path=/releng/4.4/; revision=105676
-rw-r--r--crypto/heimdal/kadmin/version4.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/crypto/heimdal/kadmin/version4.c b/crypto/heimdal/kadmin/version4.c
index e4ebce75890d..b61dbd3fa214 100644
--- a/crypto/heimdal/kadmin/version4.c
+++ b/crypto/heimdal/kadmin/version4.c
@@ -41,7 +41,7 @@
#include <krb_err.h>
#include <kadm_err.h>
-RCSID("$Id: version4.c,v 1.24 2001/01/29 08:40:45 assar Exp $");
+RCSID("$Id: version4.c,v 1.27 2002/10/21 12:35:07 joda Exp $");
#define KADM_NO_OPCODE -1
#define KADM_NO_ENCRYPT -2
@@ -822,6 +822,13 @@ decode_packet(krb5_context context,
off += _krb5_get_int(msg + off, &rlen, 4);
memset(&authent, 0, sizeof(authent));
authent.length = message.length - rlen - KADM_VERSIZE - 4;
+
+ if(authent.length >= MAX_KTXT_LEN) {
+ krb5_warnx(context, "received bad rlen (%lu)", (unsigned long)rlen);
+ make_you_loose_packet (KADM_LENGTH_ERROR, reply);
+ return;
+ }
+
memcpy(authent.dat, (char*)msg + off, authent.length);
off += authent.length;