From 1d61dd312f497b2181a9e558f2e92681282d214d Mon Sep 17 00:00:00 2001
From: "Jacques A. Vidrine" <n@nectar.com>
Date: Mon, 9 Sep 2002 14:40:08 +0000
Subject: [PATCH] While decoding arguments for kadm_chpass_with_key, sanity
 check the number of keys given: must be non-negative, small enough that it is
 not truncated when stuffed into an int16_t for kadm5_free_key_data, and small
 enough to avoid integer overflow when calculating the memory required for the
 keys themselves.

XXX Why does kadm5_free_key_data use int16_t?


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11415 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kadmin/ChangeLog | 5 +++++
 kadmin/server.c  | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/kadmin/ChangeLog b/kadmin/ChangeLog
index f51cfa074..6b0d02fde 100644
--- a/kadmin/ChangeLog
+++ b/kadmin/ChangeLog
@@ -1,3 +1,8 @@
+2002-09-09  Jacques Vidrine  <nectar@kth.se>
+
+	* server.c (kadmind_dispatch): while decoding arguments for
+	kadm_chpass_with_key, sanity check the number of keys given
+
 2002-09-04  Johan Danielsson  <joda@pdc.kth.se>
 
 	* load.c (parse_generation): return if there is no generation
diff --git a/kadmin/server.c b/kadmin/server.c
index 105c99352..28a934fcb 100644
--- a/kadmin/server.c
+++ b/kadmin/server.c
@@ -255,6 +255,13 @@ kadmind_dispatch(void *kadm_handle, krb5_boolean initial,
 	    krb5_free_principal(context->context, princ);
 	    goto fail;
 	}
+	/* n_key_data will be squeezed into an int16_t below. */
+	if (n_key_data < 0 || n_key_data >= 1 << 16 ||
+	    n_key_data > UINT_MAX/sizeof(*key_data)) {
+	    ret = ERANGE;
+	    krb5_free_principal(context->context, princ);
+	    goto fail;
+	}
 
 	key_data = malloc (n_key_data * sizeof(*key_data));
 	if (key_data == NULL) {