1 files changed, 46 insertions, 25 deletions

diff --git a/src/lib/krb5/ccache/ser_cc.c b/src/lib/krb5/ccache/ser_cc.c
index 88e6a13..33e7f51 100644
--- a/src/lib/krb5/ccache/ser_cc.c
+++ b/src/lib/krb5/ccache/ser_cc.c
@@ -158,36 +158,57 @@ krb5_ccache_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **
     krb5_int32		ibuf;
     krb5_octet		*bp;
     size_t		remain;
-    char		*ccname;
+    char		*ccname = NULL;
+
+    *argp = NULL;
 
     bp = *buffer;
     remain = *lenremain;
-    kret = EINVAL;
-    /* Read our magic number */
-    if (krb5_ser_unpack_int32(&ibuf, &bp, &remain))
-	ibuf = 0;
-    if (ibuf == KV5M_CCACHE) {
-	kret = ENOMEM;
 
-	/* Get the length of the ccache name */
-	kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
-
-	if (!kret &&
-	    (ccname = (char *) malloc((size_t) (ibuf+1))) &&
-	    !(kret = krb5_ser_unpack_bytes((krb5_octet *) ccname,
-					   (size_t) ibuf,
-					   &bp, &remain))) {
-	    ccname[ibuf] = '\0';
-	    if (!(kret = krb5_cc_resolve(kcontext, ccname, &ccache)) &&
-		!(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain)) &&
-		(ibuf == KV5M_CCACHE)) {
-		*buffer = bp;
-		*lenremain = remain;
-		*argp = (krb5_pointer) ccache;
-	    }
-	    free(ccname);
-	}
+    /* Read our magic number. */
+    kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+    if (kret)
+	return kret;
+    if (ibuf != KV5M_CCACHE)
+	return EINVAL;
+
+    /* Unpack and validate the length of the ccache name. */
+    kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+    if (kret)
+	return kret;
+    if (ibuf < 0 || ibuf > remain)
+	return EINVAL;
+
+    /* Allocate and unpack the name. */
+    ccname = malloc(ibuf + 1);
+    if (!ccname)
+	return ENOMEM;
+    kret = krb5_ser_unpack_bytes((krb5_octet *) ccname, (size_t) ibuf,
+				 &bp, &remain);
+    if (kret)
+	goto cleanup;
+    ccname[ibuf] = '\0';
+
+    /* Read the second magic number. */
+    kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
+    if (kret)
+	goto cleanup;
+    if (ibuf != KV5M_CCACHE) {
+	kret = EINVAL;
+	goto cleanup;
     }
+
+    /* Resolve the named credential cache. */
+    kret = krb5_cc_resolve(kcontext, ccname, &ccache);
+    if (kret)
+	goto cleanup;
+
+    *buffer = bp;
+    *lenremain = remain;
+    *argp = ccache;
+
+cleanup:
+    free(ccname);
     return(kret);
 }