In krb5_rc_io_store, check the return value of krb5int_buf_len as well

as krb5int_buf_data.  The length can't be negative if the data is
non-NULL, but Coverity doesn't know that.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21898 dc483132-0cff-0310-8789-dd5450dbe970

1 files changed, 6 insertions, 4 deletions

diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index 91eaaea94..c831ba02d 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -656,10 +656,11 @@ krb5_rc_io_store(krb5_context context, struct dfl_data *t,
                  krb5_donot_replay *rep)
 {
     size_t clientlen, serverlen;
+    ssize_t buflen;
     unsigned int len;
     krb5_error_code ret;
     struct k5buf buf, extbuf;
-    char *ptr, *extstr;
+    char *bufptr, *extstr;
 
     clientlen = strlen(rep->client);
     serverlen = strlen(rep->server);
@@ -706,11 +707,12 @@ krb5_rc_io_store(krb5_context context, struct dfl_data *t,
     krb5int_buf_add_len(&buf, (char *) &rep->cusec, sizeof(rep->cusec));
     krb5int_buf_add_len(&buf, (char *) &rep->ctime, sizeof(rep->ctime));
 
-    ptr = krb5int_buf_data(&buf);
-    if (ptr == NULL)
+    bufptr = krb5int_buf_data(&buf);
+    buflen = krb5int_buf_len(&buf);
+    if (bufptr == NULL || buflen < 0)
         return KRB5_RC_MALLOC;
 
-    ret = krb5_rc_io_write(context, &t->d, ptr, krb5int_buf_len(&buf));
+    ret = krb5_rc_io_write(context, &t->d, bufptr, buflen);
     krb5int_free_buf(&buf);
     return ret;
 }