MITKRB5-SA-2002-002 buffer overflow in kadmind4

	* kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002
	buffer overflow.

ticket: new
status: open
version_reported: 1.2.6
target_version: 1.2.7

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14959 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 14 insertions, 2 deletions

diff --git a/src/kadmin/v4server/ChangeLog b/src/kadmin/v4server/ChangeLog
index 1bf63ae..256c60f 100644
--- a/src/kadmin/v4server/ChangeLog
+++ b/src/kadmin/v4server/ChangeLog
@@ -1,3 +1,8 @@
+2002-11-01  Tom Yu  <tlyu@mit.edu>
+
+	* kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002
+	buffer overflow.
+
 2002-08-29  Ken Raeburn  <raeburn@mit.edu>
 
 	* Makefile.in: Revert $(S)=>/ change, for Windows support.
diff --git a/src/kadmin/v4server/kadm_ser_wrap.c b/src/kadmin/v4server/kadm_ser_wrap.c
index 41d572b..e7914f1 100644
--- a/src/kadmin/v4server/kadm_ser_wrap.c
+++ b/src/kadmin/v4server/kadm_ser_wrap.c
@@ -173,14 +173,21 @@ int *dat_len;
     u_char *retdat, *tmpdat;
     int retval, retlen;
 
-    if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
+    if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
+	|| strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
 	errpkt(dat, dat_len, KADM_BAD_VER);
 	return KADM_BAD_VER;
     }
     in_len = KADM_VERSIZE;
     /* get the length */
-    if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
+    if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
+	|| (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
+	|| (*dat_len - r_len - KADM_VERSIZE -
+	    sizeof(krb5_ui_4) > sizeof(authent.dat))) {
+	errpkt(dat, dat_len, KADM_LENGTH_ERROR);
 	return KADM_LENGTH_ERROR;
+    }
+
     in_len += retc;
     authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
     memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);