From d5cb6584511270273468b9eb7731f15b795cf438 Mon Sep 17 00:00:00 2001
From: Assar Westerlund <assar@FreeBSD.org>
Date: Wed, 23 Oct 2002 06:10:08 +0000
Subject: import 1.29 to fix buffer overflow:

check the length of the authenticator and rlen

Obtained from:	Heimdal CVS
---
 crypto/kerberosIV/kadmin/kadm_ser_wrap.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/crypto/kerberosIV/kadmin/kadm_ser_wrap.c b/crypto/kerberosIV/kadmin/kadm_ser_wrap.c
index 196a89c8fe11..29f142c63661 100644
--- a/crypto/kerberosIV/kadmin/kadm_ser_wrap.c
+++ b/crypto/kerberosIV/kadmin/kadm_ser_wrap.c
@@ -117,16 +117,25 @@ kadm_ser_in(u_char **dat, int *dat_len, u_char *errdat)
     u_char *retdat, *tmpdat;
     int retval, retlen;
 
-    if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
+    if (*dat_len < (KADM_VERSIZE + sizeof(u_int32_t))
+	|| strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE) != 0) {
 	errpkt(errdat, dat, dat_len, KADM_BAD_VER);
 	return KADM_BAD_VER;
     }
     in_len = KADM_VERSIZE;
     /* get the length */
-    if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
+    if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0 ||
+	(r_len > *dat_len - KADM_VERSIZE - sizeof(u_int32_t))) {
+	errpkt(errdat, dat, dat_len, KADM_LENGTH_ERROR);
 	return KADM_LENGTH_ERROR;
+    }
+    
     in_len += retc;
     authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(u_int32_t);
+    if (authent.length > MAX_KTXT_LEN) {
+	errpkt(errdat, dat, dat_len, KADM_LENGTH_ERROR);
+	return KADM_LENGTH_ERROR;
+    }
     memcpy(authent.dat, (char *)(*dat) + in_len, authent.length);
     authent.mbz = 0;
     /* service key should be set before here */
-- 
cgit v1.2.3