From f96b2ccb60fd52af090ac3a35a238ee9d6bac2b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Sun, 7 Mar 2004 14:25:33 +0000 Subject: [PATCH] (spnego_reply): make sure the length of the choice element doesn't overrun us git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13444 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/gssapi/init_sec_context.c | 5 ++++- lib/gssapi/krb5/init_sec_context.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/gssapi/init_sec_context.c b/lib/gssapi/init_sec_context.c index abcef83c1..bbf029596 100644 --- a/lib/gssapi/init_sec_context.c +++ b/lib/gssapi/init_sec_context.c @@ -669,11 +669,14 @@ spnego_reply return GSS_S_BAD_MECH; ret = der_match_tag_and_length((const char *)indata.data, - indata.length - taglen, + indata.length, CONTEXT, CONS, 1, &len, &taglen); if (ret) return ret; + if(len > indata.length - taglen) + return ASN1_OVERRUN; + ret = decode_NegTokenTarg((const char *)indata.data + taglen, len, &targ, NULL); if (ret) { diff --git a/lib/gssapi/krb5/init_sec_context.c b/lib/gssapi/krb5/init_sec_context.c index abcef83c1..bbf029596 100644 --- a/lib/gssapi/krb5/init_sec_context.c +++ b/lib/gssapi/krb5/init_sec_context.c @@ -669,11 +669,14 @@ spnego_reply return GSS_S_BAD_MECH; ret = der_match_tag_and_length((const char *)indata.data, - indata.length - taglen, + indata.length, CONTEXT, CONS, 1, &len, &taglen); if (ret) return ret; + if(len > indata.length - taglen) + return ASN1_OVERRUN; + ret = decode_NegTokenTarg((const char *)indata.data + taglen, len, &targ, NULL); if (ret) {