lib/krb5: Avoid undefined pointer arithmetic

If the AP len is large enough, we might end up computing an address beyond the end of the 'reply' array, which is undefined behaviour. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-05-18 17:18:44 +12:00
parent f40ac787b1
commit f165d1e942
1 changed files with 1 additions and 1 deletions
--- a/lib/krb5/changepw.c
+++ b/lib/krb5/changepw.c
@@ -384,7 +384,7 @@ process_reply (krb5_context context,
    ap_rep_data.data = reply + 6;
    ap_rep_data.length  = (reply[4] << 8) | (reply[5]);

-    if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) {
+    if (len - 6 < ap_rep_data.length) {
 	str2data (result_string, "client: wrong AP len in reply");
 	*result_code = KRB5_KPASSWD_MALFORMED;
 	return 0;