From 66dc0b483c89aea8c4c2364a8316cec683915ea5 Mon Sep 17 00:00:00 2001 From: Assar Westerlund Date: Sat, 29 Jul 2000 05:48:13 +0000 Subject: [PATCH] (gssapi_krb5_verify_header): sanity-check length git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8873 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/gssapi/decapsulate.c | 8 +++++--- lib/gssapi/krb5/decapsulate.c | 8 +++++--- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/lib/gssapi/decapsulate.c b/lib/gssapi/decapsulate.c index a72b8cdb9..be67e1efd 100644 --- a/lib/gssapi/decapsulate.c +++ b/lib/gssapi/decapsulate.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -44,18 +44,20 @@ gssapi_krb5_verify_header(u_char **str, int e; u_char *p = *str; + if (total_len < 1) + return GSS_S_DEFECTIVE_TOKEN; if (*p++ != 0x60) return GSS_S_DEFECTIVE_TOKEN; e = der_get_length (p, total_len - 1, &len, &len_len); if (e || 1 + len_len + len != total_len) - abort (); + return GSS_S_DEFECTIVE_TOKEN; p += len_len; if (*p++ != 0x06) return GSS_S_DEFECTIVE_TOKEN; e = der_get_length (p, total_len - 1 - len_len - 1, &mech_len, &foo); if (e) - abort (); + return GSS_S_DEFECTIVE_TOKEN; p += foo; if (mech_len != GSS_KRB5_MECHANISM->length) return GSS_S_BAD_MECH; diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c index a72b8cdb9..be67e1efd 100644 --- a/lib/gssapi/krb5/decapsulate.c +++ b/lib/gssapi/krb5/decapsulate.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997 Kungliga Tekniska Högskolan + * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * @@ -44,18 +44,20 @@ gssapi_krb5_verify_header(u_char **str, int e; u_char *p = *str; + if (total_len < 1) + return GSS_S_DEFECTIVE_TOKEN; if (*p++ != 0x60) return GSS_S_DEFECTIVE_TOKEN; e = der_get_length (p, total_len - 1, &len, &len_len); if (e || 1 + len_len + len != total_len) - abort (); + return GSS_S_DEFECTIVE_TOKEN; p += len_len; if (*p++ != 0x06) return GSS_S_DEFECTIVE_TOKEN; e = der_get_length (p, total_len - 1 - len_len - 1, &mech_len, &foo); if (e) - abort (); + return GSS_S_DEFECTIVE_TOKEN; p += foo; if (mech_len != GSS_KRB5_MECHANISM->length) return GSS_S_BAD_MECH;