summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakob Schlyter <jakob@cvs.openbsd.org>2002-10-21 19:45:38 +0000
committerJakob Schlyter <jakob@cvs.openbsd.org>2002-10-21 19:45:38 +0000
commit409daa0344bb5c7ec3bae6e23f61299b86bb3179 (patch)
treee8652253bcefbdeccd4e6f00bdb3f92cdafa85a1
parent789336f19bcb037fb3b933ace7e9efb51a4f11c7 (diff)
fix remote exploit in kadmind; from lha@stacken.kth.se. ok hin@
Diffstat
-rw-r--r--kerberosV/src/kadmin/version4.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/kerberosV/src/kadmin/version4.c b/kerberosV/src/kadmin/version4.c
index 4274408091d..9407aab07eb 100644
--- a/kerberosV/src/kadmin/version4.c
+++ b/kerberosV/src/kadmin/version4.c
@@ -822,6 +822,13 @@ decode_packet(krb5_context context,
off += _krb5_get_int(msg + off, &rlen, 4);
memset(&authent, 0, sizeof(authent));
authent.length = message.length - rlen - KADM_VERSIZE - 4;
+
+ if(authent.length >= MAX_KTXT_LEN) {
+ krb5_warnx(context, "received bad rlen (%lu)", (unsigned long)rlen);
+ make_you_loose_packet (KADM_LENGTH_ERROR, reply);
+ return;
+ }
+
memcpy(authent.dat, (char*)msg + off, authent.length);
off += authent.length;
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-24 14:14:56 +0000