diff options
Diffstat (limited to 'src/lib/krb5/krb/pac.c')
| -rw-r--r-- | src/lib/krb5/krb/pac.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 2f1df8d..f6c4373 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -28,6 +28,8 @@ #include "int-proto.h" #include "authdata.h" +#define MAX_BUFFERS 4096 + /* draft-brezak-win2k-krb-authz-00 */ /* @@ -317,6 +319,9 @@ krb5_pac_parse(krb5_context context, if (version != 0) return EINVAL; + if (cbuffers < 1 || cbuffers > MAX_BUFFERS) + return ERANGE; + header_len = PACTYPE_LENGTH + (cbuffers * PAC_INFO_BUFFER_LENGTH); if (len < header_len) return ERANGE; @@ -349,8 +354,8 @@ krb5_pac_parse(krb5_context context, krb5_pac_free(context, pac); return EINVAL; } - if (buffer->Offset < header_len || - buffer->Offset + buffer->cbBufferSize > len) { + if (buffer->Offset < header_len || buffer->Offset > len || + buffer->cbBufferSize > len - buffer->Offset) { krb5_pac_free(context, pac); return ERANGE; } |