Verify the combined lengths of the KRB_AP_REP and KRB_PRIV in the set

password response.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11337 ec53bebd-3082-4978-b11e-865c3cabbd6b

lib/krb5/changepw.c

@@ -144,7 +144,7 @@ process_reply (krb5_context context,
     u_char reply[BUFSIZ];
     size_t len;
     u_int16_t pkt_len, pkt_ver;
-    krb5_data ap_rep_data;
+    krb5_data ap_rep_data, priv_data;
     int save_errno;
 
     ret = recvfrom (sock, reply, sizeof(reply), 0, NULL, NULL);
@@ -173,10 +173,13 @@ process_reply (krb5_context context,
 
     ap_rep_data.data = reply + 6;
     ap_rep_data.length  = (reply[4] << 8) | (reply[5]);
+    priv_data.data   = (u_char*)ap_rep_data.data + ap_rep_data.length;
+    priv_data.length = len - ap_rep_data.length - 6;
+    if ((u_char *)priv_data.data + priv_data.length >= reply + len)
+	return KRB5_KPASSWD_MALFORMED;
   
     if (ap_rep_data.length) {
 	krb5_ap_rep_enc_part *ap_rep;
-	krb5_data priv_data;
 	u_char *p;
 
 	ret = krb5_rd_rep (context,
@@ -188,9 +191,6 @@ process_reply (krb5_context context,
 
 	krb5_free_ap_rep_enc_part (context, ap_rep);
 
-	priv_data.data   = (u_char*)ap_rep_data.data + ap_rep_data.length;
-	priv_data.length = len - ap_rep_data.length - 6;
-
 	ret = krb5_rd_priv (context,
 			    auth_context,
 			    &priv_data,