diff options
| author | Jasper Lievisse Adriaanse <jasper@cvs.openbsd.org> | 2010-03-26 16:16:27 +0000 |
|---|---|---|
| committer | Jasper Lievisse Adriaanse <jasper@cvs.openbsd.org> | 2010-03-26 16:16:27 +0000 |
| commit | 5c0668aeb3664e3654a9fa92c8bd300d21ec81e3 (patch) | |
| tree | a37a524030d80d01f383f19b8d060fc0b877584f | |
| parent | e8f391a80dfa452a869118a793779e668e57075b (diff) | |
- merge a fix from heimdal's 2010-03-21 advisory to add more paranoid
checking for underruns when decrypting packets.
ok beck@ "sure" deraadt@
| -rw-r--r-- | kerberosV/src/lib/krb5/crypto.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/kerberosV/src/lib/krb5/crypto.c b/kerberosV/src/lib/krb5/crypto.c index dab6aa79956..94e87d5c769 100644 --- a/kerberosV/src/lib/krb5/crypto.c +++ b/kerberosV/src/lib/krb5/crypto.c @@ -3451,6 +3451,12 @@ decrypt_internal_derived(krb5_context context, return KRB5_BAD_MSIZE; } + if (len < checksum_sz + et->confoundersize) { + krb5_set_error_string(context, "Encrypted data shorter then " + "checksum + confunder"); + return KRB5_BAD_MSIZE; + } + p = malloc(len); if(len != 0 && p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); @@ -3525,6 +3531,13 @@ decrypt_internal(krb5_context context, } checksum_sz = CHECKSUMSIZE(et->checksum); + + if (len < checksum_sz + et->confoundersize) { + krb5_set_error_string(context, "Encrypted data shorter then " + "checksum + confunder"); + return KRB5_BAD_MSIZE; + } + p = malloc(len); if(len != 0 && p == NULL) { krb5_set_error_string(context, "malloc: out of memory"); |