(spnego_reply): make sure the length of the choice element doesn't

overrun us git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13444 ec53bebd-3082-4978-b11e-865c3cabbd6b
2004-03-07 14:25:33 +00:00
parent 1b7fe5bcc4
commit f96b2ccb60
2 changed files with 8 additions and 2 deletions
--- a/lib/gssapi/init_sec_context.c
+++ b/lib/gssapi/init_sec_context.c
@@ -669,11 +669,14 @@ spnego_reply
 	return GSS_S_BAD_MECH;

    ret = der_match_tag_and_length((const char *)indata.data,
-				   indata.length - taglen,
+				   indata.length,
 				   CONTEXT, CONS, 1, &len, &taglen);
    if (ret)
 	return ret;

+    if(len > indata.length - taglen)
+	return ASN1_OVERRUN;
+
    ret = decode_NegTokenTarg((const char *)indata.data + taglen, 
 			      len, &targ, NULL);
    if (ret) {
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -669,11 +669,14 @@ spnego_reply
 	return GSS_S_BAD_MECH;

    ret = der_match_tag_and_length((const char *)indata.data,
-				   indata.length - taglen,
+				   indata.length,
 				   CONTEXT, CONS, 1, &len, &taglen);
    if (ret)
 	return ret;

+    if(len > indata.length - taglen)
+	return ASN1_OVERRUN;
+
    ret = decode_NegTokenTarg((const char *)indata.data + taglen, 
 			      len, &targ, NULL);
    if (ret) {