From a1481f1f058305619da11d41ecacd7d0bc44de4f Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Tue, 18 Jan 2022 00:42:00 -0600
Subject: [PATCH] kdc: Check krb5_ret_uint32() in connect loop

---
 kdc/connect.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/kdc/connect.c b/kdc/connect.c
index 8fb521632..81f0ed5e5 100644
--- a/kdc/connect.c
+++ b/kdc/connect.c
@@ -621,6 +621,7 @@ handle_vanilla_tcp (krb5_context context,
 		    krb5_kdc_configuration *config,
 		    struct descr *d)
 {
+    krb5_error_code ret;
     krb5_storage *sp;
     uint32_t len;
 
@@ -629,7 +630,13 @@ handle_vanilla_tcp (krb5_context context,
 	kdc_log (context, config, 1, "krb5_storage_from_mem failed");
 	return -1;
     }
-    krb5_ret_uint32(sp, &len);
+    if (d->len < 4)
+        return 0;
+    ret = krb5_ret_uint32(sp, &len);
+    if (ret) {
+	kdc_log(context, config, 4, "failed to read request length");
+	return -1;
+    }
     krb5_storage_free(sp);
     if(d->len - 4 >= len) {
 	memmove(d->buf, d->buf + 4, d->len - 4);