- add another check in decrypt_internal_special()

prompted by miod@ ok miod@ deraadt@
author: jasper <jasper@openbsd.org> 2010-03-28 20:28:17 +0000
committer: jasper <jasper@openbsd.org> 2010-03-28 20:28:17 +0000
commit: b7bc0cb896633953433808c5bc8cf19bde7dbfb7 (patch)
tree: 83e4b72769f15ee6b3e0f98064c2857e4df85b0d
parent: Fix user-after-free bug in pmap_remove(). Page table pages are freed as soon (diff)
download: wireguard-openbsd-b7bc0cb896633953433808c5bc8cf19bde7dbfb7.tar.xz
wireguard-openbsd-b7bc0cb896633953433808c5bc8cf19bde7dbfb7.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/kerberosV/src/lib/krb5/crypto.c b/kerberosV/src/lib/krb5/crypto.c
index 94e87d5c769..f82732052db 100644
--- a/kerberosV/src/lib/krb5/crypto.c
+++ b/kerberosV/src/lib/krb5/crypto.c
@@ -3603,6 +3603,12 @@ decrypt_internal_special(krb5_context context,
 	return KRB5_BAD_MSIZE;
     }
 
+    if (len < cksum_sz + et->confoundersize) {
+	krb5_set_error_string(context, "Encrypted data shorter then "
+				  "checksum + confunder");
+	return KRB5_BAD_MSIZE;
+    }
+
     p = malloc (len);
     if (p == NULL) {
 	krb5_set_error_string(context, "malloc: out of memory");
author	jasper <jasper@openbsd.org>	2010-03-28 20:28:17 +0000
committer	jasper <jasper@openbsd.org>	2010-03-28 20:28:17 +0000
commit	b7bc0cb896633953433808c5bc8cf19bde7dbfb7 (patch)
tree	83e4b72769f15ee6b3e0f98064c2857e4df85b0d
parent	Fix user-after-free bug in pmap_remove(). Page table pages are freed as soon (diff)
download	wireguard-openbsd-b7bc0cb896633953433808c5bc8cf19bde7dbfb7.tar.xz wireguard-openbsd-b7bc0cb896633953433808c5bc8cf19bde7dbfb7.zip