From 4674f2dc6c690384012da6c385806ced2eddeb00 Mon Sep 17 00:00:00 2001
From: Love Hornquist Astrand <lha@h5l.org>
Date: Thu, 30 Jul 2009 12:50:01 +0200
Subject: [PATCH] Better length checks [CID-67]

---
 appl/kx/kxd.c | 25 ++++++++++++++++++-------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/appl/kx/kxd.c b/appl/kx/kxd.c
index 917b603a6..65bd1a18f 100644
--- a/appl/kx/kxd.c
+++ b/appl/kx/kxd.c
@@ -171,11 +171,17 @@ recv_conn (int sock, kx_context *kc,
      if (*p != INIT)
 	 fatal(kc, sock, "Bad message");
      p++;
+     if ((p - msg) < sizeof(msg))
+	 fatal(kc, sock, "user");
+
      p += kx_get_int (p, &tmp32, 4, 0);
-     len = min(sizeof(user), tmp32);
-     memcpy (user, p, len);
+     if (tmp32 >= sizeof(user) - 1)
+	 fatal(kc, sock, "user name too long");
+     if ((p - msg) + tmp32 >= sizeof(msg))
+	 fatal(kc, sock, "user too long");
+     memcpy (user, p, tmp32);
      p += tmp32;
-     user[len] = '\0';
+     user[tmp32] = '\0';
 
      passwd = k_getpwnam (user);
      if (passwd == NULL)
@@ -185,6 +191,9 @@ recv_conn (int sock, kx_context *kc,
 	 fatal (kc, sock, "%s not allowed to login as %s",
 		kc->user, user);
 
+     if ((p - msg) >= sizeof(msg))
+	 fatal(kc, sock, "user too long");
+
      flags = *p++;
 
      if (flags & PASSIVE) {
@@ -240,15 +249,17 @@ recv_conn (int sock, kx_context *kc,
      umask(077);
      if (!(flags & PASSIVE)) {
 	 p += kx_get_int (p, &tmp32, 4, 0);
-	 len = min(tmp32, display_size);
-	 memcpy (display, p, len);
-	 display[len] = '\0';
+	 if (tmp32 > display_size)
+	     fatal(kc, sock, "display too large");
+	 if ((p - msg) + tmp32 + 8 >= sizeof(msg))
+	     fatal(kc, sock, "user too long");
+	 memcpy (display, p, tmp32);
+	 display[tmp32] = '\0';
 	 p += tmp32;
 	 p += kx_get_int (p, &tmp32, 4, 0);
 	 len = min(tmp32, xauthfile_size);
 	 memcpy (xauthfile, p, len);
 	 xauthfile[len] = '\0';
-	 p += tmp32;
      }
 #if defined(SO_KEEPALIVE) && defined(HAVE_SETSOCKOPT)
      if (flags & KEEP_ALIVE) {
-- 
2.11.4.GIT