From 912dfa6eee95e77be6136193989b85181ef24136 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Sun, 7 Mar 2004 14:26:20 +0000
Subject: [PATCH] (spnego_accept_sec_context): make sure the length of the
 choice element doesn't overrun us

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13445 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/accept_sec_context.c      | 3 +++
 lib/gssapi/krb5/accept_sec_context.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/lib/gssapi/accept_sec_context.c b/lib/gssapi/accept_sec_context.c
index 396575387..49af9b070 100644
--- a/lib/gssapi/accept_sec_context.c
+++ b/lib/gssapi/accept_sec_context.c
@@ -773,6 +773,9 @@ spnego_accept_sec_context
     if (ret)
 	return ret;
 
+    if(len > data.length - taglen)
+	return ASN1_OVERRUN;
+
     ret = decode_NegTokenInit((const char *)data.data + taglen, len,
 			      &ni, &ni_len);
     if (ret)
diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c
index 396575387..49af9b070 100644
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -773,6 +773,9 @@ spnego_accept_sec_context
     if (ret)
 	return ret;
 
+    if(len > data.length - taglen)
+	return ASN1_OVERRUN;
+
     ret = decode_NegTokenInit((const char *)data.data + taglen, len,
 			      &ni, &ni_len);
     if (ret)