(do_getticket): check length of ticket. noted by <lha@stacken.kth.se>

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9542 ec53bebd-3082-4978-b11e-865c3cabbd6b
2001-01-28 21:51:05 +00:00
parent 0016308628
commit 7a63c28b48
1 changed files with 9 additions and 1 deletions
--- a/kdc/kaserver.c
+++ b/kdc/kaserver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska H<>gskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska H<>gskolan
 * (Royal Institute of Technology, Stockholm, Sweden). 
 * All rights reserved. 
 *
@@ -651,6 +651,14 @@ do_getticket (struct rx_header *hdr,
 	char sinstance[SNAME_SZ];
 	u_int32_t paddress;

+	if (aticket.length > sizeof(ticket.dat)) {
+	    kdc_log(0, "ticket too long (%u > %u)",
+		    (unsigned)aticket.length,
+		    (unsigned)sizeof(ticket.dat));
+	    make_error_reply (hdr, KABADTICKET, reply);
+	    goto out;
+	}
+
 	ticket.length = aticket.length;
 	memcpy (ticket.dat, aticket.data, ticket.length);