From f165d1e942b55329261ee573af86bdbbe3d57b57 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 18 May 2022 17:18:44 +1200
Subject: [PATCH] lib/krb5: Avoid undefined pointer arithmetic

If the AP len is large enough, we might end up computing an address
beyond the end of the 'reply' array, which is undefined behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 lib/krb5/changepw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/krb5/changepw.c b/lib/krb5/changepw.c
index 12f0b1546..1982925bf 100644
--- a/lib/krb5/changepw.c
+++ b/lib/krb5/changepw.c
@@ -384,7 +384,7 @@ process_reply (krb5_context context,
     ap_rep_data.data = reply + 6;
     ap_rep_data.length  = (reply[4] << 8) | (reply[5]);
 
-    if (reply + len < (u_char *)ap_rep_data.data + ap_rep_data.length) {
+    if (len - 6 < ap_rep_data.length) {
 	str2data (result_string, "client: wrong AP len in reply");
 	*result_code = KRB5_KPASSWD_MALFORMED;
 	return 0;