(gssapi_krb5_verify_8003_checksum): check size of input
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11532 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -172,7 +172,7 @@ gssapi_krb5_verify_8003_checksum(
|
||||
static unsigned char zeros[16];
|
||||
|
||||
/* XXX should handle checksums > 24 bytes */
|
||||
if(cksum->cksumtype != 0x8003) {
|
||||
if(cksum->cksumtype != 0x8003 || cksum->checksum.length < 24) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_BAD_BINDINGS;
|
||||
}
|
||||
@@ -201,26 +201,32 @@ gssapi_krb5_verify_8003_checksum(
|
||||
p += sizeof(hash);
|
||||
|
||||
decode_om_uint32(p, flags);
|
||||
|
||||
if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {
|
||||
|
||||
p += 4;
|
||||
|
||||
DlgOpt = (p[0] << 0) | (p[1] << 8 );
|
||||
if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {
|
||||
if(cksum->checksum.length < 28) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_BAD_BINDINGS;
|
||||
}
|
||||
|
||||
DlgOpt = (p[0] << 0) | (p[1] << 8);
|
||||
p += 2;
|
||||
if (DlgOpt != 1) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_BAD_BINDINGS;
|
||||
}
|
||||
|
||||
p += 2;
|
||||
fwd_data->length = (p[0] << 0) | (p[1] << 8);
|
||||
p += 2;
|
||||
if(cksum->checksum.length < 28 + fwd_data->length) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_BAD_BINDINGS;
|
||||
}
|
||||
fwd_data->data = malloc(fwd_data->length);
|
||||
if (fwd_data->data == NULL) {
|
||||
*minor_status = ENOMEM;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
p += 2;
|
||||
memcpy(fwd_data->data, p, fwd_data->length);
|
||||
}
|
||||
|
||||
|
||||
@@ -172,7 +172,7 @@ gssapi_krb5_verify_8003_checksum(
|
||||
static unsigned char zeros[16];
|
||||
|
||||
/* XXX should handle checksums > 24 bytes */
|
||||
if(cksum->cksumtype != 0x8003) {
|
||||
if(cksum->cksumtype != 0x8003 || cksum->checksum.length < 24) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_BAD_BINDINGS;
|
||||
}
|
||||
@@ -201,26 +201,32 @@ gssapi_krb5_verify_8003_checksum(
|
||||
p += sizeof(hash);
|
||||
|
||||
decode_om_uint32(p, flags);
|
||||
|
||||
if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {
|
||||
|
||||
p += 4;
|
||||
|
||||
DlgOpt = (p[0] << 0) | (p[1] << 8 );
|
||||
if (cksum->checksum.length > 24 && (*flags & GSS_C_DELEG_FLAG)) {
|
||||
if(cksum->checksum.length < 28) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_BAD_BINDINGS;
|
||||
}
|
||||
|
||||
DlgOpt = (p[0] << 0) | (p[1] << 8);
|
||||
p += 2;
|
||||
if (DlgOpt != 1) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_BAD_BINDINGS;
|
||||
}
|
||||
|
||||
p += 2;
|
||||
fwd_data->length = (p[0] << 0) | (p[1] << 8);
|
||||
p += 2;
|
||||
if(cksum->checksum.length < 28 + fwd_data->length) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_BAD_BINDINGS;
|
||||
}
|
||||
fwd_data->data = malloc(fwd_data->length);
|
||||
if (fwd_data->data == NULL) {
|
||||
*minor_status = ENOMEM;
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
p += 2;
|
||||
memcpy(fwd_data->data, p, fwd_data->length);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user