diff options
author | Cy Schubert <cy@FreeBSD.org> | 2018-04-03 19:36:00 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2018-04-03 19:36:00 +0000 |
commit | b0e4d68d5124581ae353493d69bea352de4cff8a (patch) | |
tree | 43300ec43e83eccd367fd76fdfdefba2dcd7d8f4 /src/lib/gssapi/mechglue/g_glue.c | |
parent | 33a9b234e7087f573ef08cd7318c6497ba08b439 (diff) | |
download | src-test2-vendor/krb5.tar.gz src-test2-vendor/krb5.zip |
Import MIT KRB5 1.16.vendor/krb5/1.16vendor/krb5
Notes
Notes:
svn path=/vendor-crypto/krb5/dist/; revision=331939
svn path=/vendor-crypto/krb5/1.16/; revision=331941; tag=vendor/krb5/1.16
Diffstat (limited to 'src/lib/gssapi/mechglue/g_glue.c')
-rw-r--r-- | src/lib/gssapi/mechglue/g_glue.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c index 4aa3591a0d06..4cd2e8f8eb8c 100644 --- a/src/lib/gssapi/mechglue/g_glue.c +++ b/src/lib/gssapi/mechglue/g_glue.c @@ -189,7 +189,7 @@ OM_uint32 gssint_get_mech_type_oid(OID, token) gss_buffer_t token; { unsigned char * buffer_ptr; - int length; + size_t buflen, lenbytes, length, oidlen; /* * This routine reads the prefix of "token" in order to determine @@ -223,25 +223,33 @@ OM_uint32 gssint_get_mech_type_oid(OID, token) /* Skip past the APP/Sequnce byte and the token length */ buffer_ptr = (unsigned char *) token->value; + buflen = token->length; - if (*(buffer_ptr++) != 0x60) + if (buflen < 2 || *buffer_ptr++ != 0x60) return (GSS_S_DEFECTIVE_TOKEN); length = *buffer_ptr++; + buflen -= 2; /* check if token length is null */ if (length == 0) return (GSS_S_DEFECTIVE_TOKEN); if (length & 0x80) { - if ((length & 0x7f) > 4) + lenbytes = length & 0x7f; + if (lenbytes > 4 || lenbytes > buflen) return (GSS_S_DEFECTIVE_TOKEN); - buffer_ptr += length & 0x7f; + buffer_ptr += lenbytes; + buflen -= lenbytes; } - if (*(buffer_ptr++) != 0x06) + if (buflen < 2 || *buffer_ptr++ != 0x06) + return (GSS_S_DEFECTIVE_TOKEN); + oidlen = *buffer_ptr++; + buflen -= 2; + if (oidlen > 0x7f || oidlen > buflen) return (GSS_S_DEFECTIVE_TOKEN); - OID->length = (OM_uint32) *(buffer_ptr++); + OID->length = oidlen; OID->elements = (void *) buffer_ptr; return (GSS_S_COMPLETE); } |