From 4660ec8358a158041fcf0ebe5788f2777e5d5807 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Sun, 21 Mar 2010 21:05:21 -0700
Subject: [PATCH] check for underruns

---
 lib/krb5/crypto.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 565183941..ed8765542 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -3144,8 +3144,14 @@ decrypt_internal(krb5_context context,
 	krb5_clear_error_message(context);
 	return KRB5_BAD_MSIZE;
     }
-
     checksum_sz = CHECKSUMSIZE(et->checksum);
+    if (len < checksum_sz + et->confoundersize) {
+	krb5_set_error_message(context, KRB5_BAD_MSIZE,
+			       N_("Encrypted data shorter then "
+				  "checksum + confunder", ""));
+	return KRB5_BAD_MSIZE;
+    }
+
     p = malloc(len);
     if(len != 0 && p == NULL) {
 	krb5_set_error_message(context, ENOMEM, N_("malloc: out of memory", ""));
@@ -3207,6 +3213,12 @@ decrypt_internal_special(krb5_context context,
 	krb5_clear_error_message(context);
 	return KRB5_BAD_MSIZE;
     }
+    if (len < cksum_sz + et->confoundersize) {
+	krb5_set_error_message(context, KRB5_BAD_MSIZE,
+			       N_("Encrypted data shorter then "
+				  "checksum + confunder", ""));
+	return KRB5_BAD_MSIZE;
+    }
 
     p = malloc (len);
     if (p == NULL) {