From 11c54cd6c8edb2096ece102e588eeb224272ed67 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@cryptonector.com>
Date: Sun, 24 Jul 2011 11:08:58 -0500
Subject: [PATCH] Protect against negative n_ks_tuple values and against
 randkey returning negative n_keys

---
 kadmin/server.c       | 6 ++++++
 lib/kadm5/randkey_c.c | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/kadmin/server.c b/kadmin/server.c
index bd4ddff33..7395e9f78 100644
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -395,6 +395,12 @@ kadmind_dispatch(void *kadm_handlep, krb5_boolean initial,
 	} else if (ret == 0) {
 	    size_t i;
 
+	    if (n_ks_tuple < 0) {
+		ret = EOVERFLOW;
+		krb5_free_principal(contextp->context, princ);
+		goto fail;
+	    }
+
 	    if ((ks_tuple = calloc(n_ks_tuple, sizeof (*ks_tuple))) == NULL) {
 		ret = errno;
 		krb5_free_principal(contextp->context, princ);
diff --git a/lib/kadm5/randkey_c.c b/lib/kadm5/randkey_c.c
index 8f1688377..9b185f6ad 100644
--- a/lib/kadm5/randkey_c.c
+++ b/lib/kadm5/randkey_c.c
@@ -113,6 +113,10 @@ kadm5_c_randkey_principal(void *server_handle,
 	int i;
 
 	krb5_ret_int32(sp, &tmp);
+	if (tmp < 0) {
+	    ret = EOVERFLOW;
+	    goto out;
+	}
 	k = malloc(tmp * sizeof(*k));
 	if (k == NULL) {
 	    ret = ENOMEM;