(spnego_reply): make sure the length of the choice element doesn't

overrun us


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13444 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Love Hörnquist Åstrand
2004-03-07 14:25:33 +00:00
parent 1b7fe5bcc4
commit f96b2ccb60
2 changed files with 8 additions and 2 deletions

View File

@@ -669,11 +669,14 @@ spnego_reply
return GSS_S_BAD_MECH;
ret = der_match_tag_and_length((const char *)indata.data,
indata.length - taglen,
indata.length,
CONTEXT, CONS, 1, &len, &taglen);
if (ret)
return ret;
if(len > indata.length - taglen)
return ASN1_OVERRUN;
ret = decode_NegTokenTarg((const char *)indata.data + taglen,
len, &targ, NULL);
if (ret) {

View File

@@ -669,11 +669,14 @@ spnego_reply
return GSS_S_BAD_MECH;
ret = der_match_tag_and_length((const char *)indata.data,
indata.length - taglen,
indata.length,
CONTEXT, CONS, 1, &len, &taglen);
if (ret)
return ret;
if(len > indata.length - taglen)
return ASN1_OVERRUN;
ret = decode_NegTokenTarg((const char *)indata.data + taglen,
len, &targ, NULL);
if (ret) {