From 7a63c28b4842cbc73868f13c43f4d46b7d4d8671 Mon Sep 17 00:00:00 2001
From: Assar Westerlund <assar@sics.se>
Date: Sun, 28 Jan 2001 21:51:05 +0000
Subject: [PATCH] (do_getticket): check length of ticket.  noted by
 <lha@stacken.kth.se>

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9542 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kaserver.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/kdc/kaserver.c b/kdc/kaserver.c
index 2f8a3ba7b..b1fc8f927 100644
--- a/kdc/kaserver.c
+++ b/kdc/kaserver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -651,6 +651,14 @@ do_getticket (struct rx_header *hdr,
 	char sinstance[SNAME_SZ];
 	u_int32_t paddress;
 
+	if (aticket.length > sizeof(ticket.dat)) {
+	    kdc_log(0, "ticket too long (%u > %u)",
+		    (unsigned)aticket.length,
+		    (unsigned)sizeof(ticket.dat));
+	    make_error_reply (hdr, KABADTICKET, reply);
+	    goto out;
+	}
+
 	ticket.length = aticket.length;
 	memcpy (ticket.dat, aticket.data, ticket.length);