From 9849899e7f732a4c2577640baba6d1e554e04bf6 Mon Sep 17 00:00:00 2001
From: "Jacques A. Vidrine" <n@nectar.com>
Date: Mon, 9 Sep 2002 14:03:03 +0000
Subject: [PATCH] Validate some counts that may be received from the network:
 Check that they are non-negative, and that they are small enough to avoid
 integer overflow when used in memory allocation calculations.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11411 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 kdc/kaserver.c       |  2 ++
 kdc/kerberos5.c      |  6 ++++++
 lib/krb5/transited.c | 23 +++++++++++------------
 3 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/kdc/kaserver.c b/kdc/kaserver.c
index 29b27cad9..2c3104805 100644
--- a/kdc/kaserver.c
+++ b/kdc/kaserver.c
@@ -186,6 +186,8 @@ krb5_ret_xdr_data(krb5_storage *sp,
     ret = krb5_ret_int32(sp, &size);
     if(ret)
 	return ret;
+    if(size < 0)
+	return ERANGE;
     data->length = size;
     if (size) {
 	u_char foo[4];
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index e05c0f987..c444c3e45 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -324,6 +324,8 @@ get_pa_etype_info(METHOD_DATA *md, hdb_entry *client,
     
 
     pa.len = client->keys.len;
+    if(pa.len > UINT_MAX/sizeof(*pa.val))
+	return ERANGE;
     pa.val = malloc(pa.len * sizeof(*pa.val));
     if(pa.val == NULL)
 	return ENOMEM;
@@ -1079,6 +1081,10 @@ fix_transited_encoding(TransitedEncoding *tr,
 		return ret;
 	    }
 	}
+	if (num_realms < 0 || num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+	    ret = ERANGE;
+	    goto free_realms;
+	}
 	tmp = realloc(realms, (num_realms + 1) * sizeof(*realms));
 	if(tmp == NULL){
 	    ret = ENOMEM;
diff --git a/lib/krb5/transited.c b/lib/krb5/transited.c
index 704388b16..69cc9ad2f 100644
--- a/lib/krb5/transited.c
+++ b/lib/krb5/transited.c
@@ -318,8 +318,9 @@ krb5_domain_x500_decode(krb5_context context,
     if(ret)
 	return ret;
     
-    /* remove empty components */
+    /* remove empty components and count realms */
     q = &r;
+    *num_realms = 0;
     for(p = r; p; ){
 	if(p->realm[0] == '\0'){
 	    free(p->realm);
@@ -329,22 +330,20 @@ krb5_domain_x500_decode(krb5_context context,
 	}else{
 	    q = &p->next;
 	    p = p->next;
+	    (*num_realms)++;
 	}
     }
+    if (*num_realms < 0 || *num_realms + 1 > UINT_MAX/sizeof(**realms))
+	return ERANGE;
+
     {
 	char **R;
-	*realms = NULL;
-	*num_realms = 0;
+	R = malloc((*num_realms + 1) * sizeof(*R));
+	if (R == NULL)
+	    return ENOMEM;
+	*realms = R;
 	while(r){
-	    R = realloc(*realms, (*num_realms + 1) * sizeof(**realms));
-	    if(R == NULL) {
-		free(*realms);
-		krb5_set_error_string (context, "malloc: out of memory");
-		return ENOMEM;
-	    }
-	    R[*num_realms] = r->realm;
-	    (*num_realms)++;
-	    *realms = R;
+	    *R++ = r->realm;
 	    p = r->next;
 	    free(r);
 	    r = p;