From 1c689e0b5d77425d2a52d680b812540ef96ed482 Mon Sep 17 00:00:00 2001
From: Assar Westerlund <assar@sics.se>
Date: Tue, 26 Oct 1999 04:14:36 +0000
Subject: [PATCH] (do_read): the encoded length can be longer than the buffer
 being used, allocate memory for it dynamically.  From Brian A May
 <bmay@dgs.monash.edu.au>

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@7230 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 appl/rsh/common.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/appl/rsh/common.c b/appl/rsh/common.c
index 8b3130276..e5f3763e0 100644
--- a/appl/rsh/common.c
+++ b/appl/rsh/common.c
@@ -56,20 +56,25 @@ do_read (int fd,
 	    u_int32_t len, outer_len;
 	    int status;
 	    krb5_data data;
+	    void *edata;
 
 	    ret = krb5_net_read (context, &fd, &len, 4);
 	    if (ret <= 0)
 		return ret;
 	    len = ntohl(len);
-	    outer_len = krb5_get_wrapped_length (context, crypto, len);
-	    if (outer_len > sz)
+	    if (len > sz)
 		abort ();
-	    ret = krb5_net_read (context, &fd, buf, outer_len);
+	    outer_len = krb5_get_wrapped_length (context, crypto, len);
+	    edata = malloc (outer_len);
+	    if (edata == NULL)
+		errx (1, "malloc: cannot allocate %u bytes", outer_len);
+	    ret = krb5_net_read (context, &fd, edata, outer_len);
 	    if (ret <= 0)
 		return ret;
 
 	    status = krb5_decrypt(context, crypto, KRB5_KU_OTHER_ENCRYPTED, 
-				  buf, outer_len, &data);
+				  edata, outer_len, &data);
+	    free (edata);
 	    
 	    if (status)
 		errx (1, "%s", krb5_get_err_text (context, status));