From a0282fd7094f4f781b87a51b5386734893572373 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Thu, 4 Oct 2001 18:51:32 +0000
Subject: 	* accept_sec_context.c (krb5_gss_accept_sec_context): Ignore 
 unrecognized options properly. [krb5-libs/738]

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13778 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/gssapi/krb5/ChangeLog            |  5 +++++
 src/lib/gssapi/krb5/accept_sec_context.c | 28 ++++++++++++++++++----------
 2 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 4b163c8..1393b7c 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,3 +1,8 @@
+2001-10-04  Tom Yu  <tlyu@mit.edu>
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context): Ignore
+	unrecognized options properly. [krb5-libs/738]
+
 2001-10-03  Ken Raeburn  <raeburn@mit.edu>
 
 	* copy_ccache.c, get_tkt_flags.c, gssapi_krb5.h, krb5_gss_glue.c,
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index 131dffb..7af8f03 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -474,21 +474,31 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 
 	   i = authdat->checksum->length - 24;
 
-	   while(i>0) {
+	   while (i >= 4) {
 
 	       TREAD_INT16(ptr, option_id, bigend);
 
-	       switch(option_id) {
+	       TREAD_INT16(ptr, option.length, bigend);
 
-	       case KRB5_GSS_FOR_CREDS_OPTION:
+	       i -= 4;
+
+	       /* have to use ptr2, since option.data is wrong type and
+		  macro uses ptr as both lvalue and rvalue */
+
+	       if (i < option.length || option.length < 0) {
+		   code = KG_BAD_LENGTH;
+		   major_status = GSS_S_FAILURE;
+		   goto fail;
+	       }
 
-		   TREAD_INT16(ptr, option.length, bigend);
+	       TREAD_STR(ptr, ptr2, bigend);
+	       option.data = (char FAR *) ptr2;
 
-		   /* have to use ptr2, since option.data is wrong type and
-		      macro uses ptr as both lvalue and rvalue */
+	       i -= option.length;
 
-		   TREAD_STR(ptr, ptr2, bigend);
-		   option.data = (char FAR *) ptr2;
+	       switch(option_id) {
+
+	       case KRB5_GSS_FOR_CREDS_OPTION:
 
 		   /* store the delegated credential */
 
@@ -500,8 +510,6 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 		       goto fail;
 		   }
 
-		   i -= option.length + 4;
-
 		   gss_flags |= GSS_C_DELEG_FLAG; /* got a delegation */
 
 		   break;
-- 
cgit v1.1