* recvauth.c (krb_recvauth): Initialize cp and tmp_buf. Check length of data

read before evaluating the value.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@16595 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 11 insertions, 3 deletions

diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog
index 20c548c39..7b865d367 100644
--- a/src/lib/krb4/ChangeLog
+++ b/src/lib/krb4/ChangeLog
@@ -1,3 +1,8 @@
+2004-07-14  Ken Raeburn  <raeburn@mit.edu>
+
+	* recvauth.c (krb_recvauth): Initialize cp and tmp_buf.  Check
+	length of data read before evaluating the value.
+
 2004-06-22  Ken Raeburn  <raeburn@mit.edu>
 
 	* g_pw_in_tkt.c (passwd_to_key): Don't test macintosh.
diff --git a/src/lib/krb4/recvauth.c b/src/lib/krb4/recvauth.c
index 3d58a33c6..bd2aca56a 100644
--- a/src/lib/krb4/recvauth.c
+++ b/src/lib/krb4/recvauth.c
@@ -150,11 +150,11 @@ krb_recvauth(options, fd, ticket, service, instance, faddr, laddr, kdata,
 
     int i, cc, old_vers = 0;
     char krb_vers[KRB_SENDAUTH_VLEN + 1]; /* + 1 for the null terminator */
-    char *cp;
+    char *cp = NULL;
     int rem;
     KRB4_32 tkt_len, priv_len;
     unsigned KRB4_32 cksum;
-    u_char tmp_buf[MAX_KTXT_LEN+max(KRB_SENDAUTH_VLEN+1,21)];
+    u_char tmp_buf[MAX_KTXT_LEN+max(KRB_SENDAUTH_VLEN+1,21)] = { 0 };
 
     /* read the protocol version number */
     if (krb_net_read(fd, krb_vers, KRB_SENDAUTH_VLEN) !=
@@ -196,11 +196,14 @@ krb_recvauth(options, fd, ticket, service, instance, faddr, laddr, kdata,
 		}
 	    }
 
+	if (i==20)
+	    return(KFAILURE);
+
 	tkt_len = (KRB4_32) atoi((char *) tmp_buf);
 
 	/* sanity check the length */
 	/* These conditions make sure that cp got initialized */
-	if ((i==20)||(tkt_len<=0)||(tkt_len>MAX_KTXT_LEN))
+	if ((tkt_len<=0)||(tkt_len>MAX_KTXT_LEN))
 	    return(KFAILURE);
 
 	if (i < KRB_SENDAUTH_VLEN) {