From d2c55ba4cc31306af2e1615d3faeff1a225e962f Mon Sep 17 00:00:00 2001
From: Johan Danielsson <joda@pdc.kth.se>
Date: Sun, 29 Sep 1996 01:43:42 +0000
Subject: [PATCH] Fix buffer length checking.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@793 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 appl/ftp/ftpd/kauth.c | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/appl/ftp/ftpd/kauth.c b/appl/ftp/ftpd/kauth.c
index decee6f41..e3b56b077 100644
--- a/appl/ftp/ftpd/kauth.c
+++ b/appl/ftp/ftpd/kauth.c
@@ -46,6 +46,7 @@ store_ticket(KTEXT cip)
     char srealm[REALM_SZ];
     unsigned char kvno;
     KTEXT_ST tkt;
+    int left = cip->length;
 
     int kerror;
     
@@ -56,42 +57,49 @@ store_ticket(KTEXT cip)
     /* extract session key */
     memmove(session, ptr, 8);
     ptr += 8;
+    left -= 8;
 
-    if ((strlen(ptr) + (ptr - (char *) cip->dat)) > cip->length)
+    if (strnlen(ptr, left) == left)
 	return(INTK_BADPW);
-
+    
     /* extract server's name */
     strcpy(sname,ptr);
     ptr += strlen(sname) + 1;
+    left -= strlen(sname) + 1;
 
-    if ((strlen(ptr) + (ptr - (char *) cip->dat)) > cip->length)
+    if (strnlen(ptr, left) == left)
 	return(INTK_BADPW);
 
     /* extract server's instance */
     strcpy(sinst, ptr);
     ptr += strlen(sinst) + 1;
+    left -= strlen(sinst) + 1;
 
-    if ((strlen(ptr) + (ptr - (char *) cip->dat)) > cip->length)
+    if (strnlen(ptr, left) == left)
 	return(INTK_BADPW);
 
     /* extract server's realm */
     strcpy(srealm,ptr);
     ptr += strlen(srealm) + 1;
+    left -= strlen(srealm) + 1;
 
+    if(left < 3)
+	return INTK_BADPW;
     /* extract ticket lifetime, server key version, ticket length */
     /* be sure to avoid sign extension on lifetime! */
     lifetime = (unsigned char) ptr[0];
     kvno = (unsigned char) ptr[1];
     tkt.length = (unsigned char) ptr[2];
     ptr += 3;
+    left -= 3;
     
-    if ((tkt.length < 0) ||
-	((tkt.length + (ptr - (char *) cip->dat)) > cip->length))
+    if (tkt.length > left)
 	return(INTK_BADPW);
 
     /* extract ticket itself */
     memmove(tkt.dat, ptr, tkt.length);
     ptr += tkt.length;
+    left -= tkt.length;
 
     /* Here is where the time should be verified against the KDC.
      * Unfortunately everything is sent in host byte order (receiver
@@ -145,7 +153,7 @@ void kauth(char *principal, char *ticket)
 	return;
     }
     if(realm[0] == 0)
-	krb_get_lrealm(realm, 0);
+	krb_get_lrealm(realm, 1);
 
     if(ticket){
 	cip.length = base64_decode(ticket, &cip.dat);