Index: kadm_ser_wrap.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/kadmin/v4server/kadm_ser_wrap.c,v
retrieving revision 1.10.4.1
diff -c -r1.10.4.1 kadm_ser_wrap.c
*** kadm_ser_wrap.c	2000/05/23 21:44:50	1.10.4.1
--- kadm_ser_wrap.c	2002/10/22 22:07:11
***************
*** 170,183 ****
      u_char *retdat, *tmpdat;
      int retval, retlen;
  
!     if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
  	errpkt(dat, dat_len, KADM_BAD_VER);
  	return KADM_BAD_VER;
      }
      in_len = KADM_VERSIZE;
      /* get the length */
!     if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
  	return KADM_LENGTH_ERROR;
      in_len += retc;
      authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
      memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);
--- 170,190 ----
      u_char *retdat, *tmpdat;
      int retval, retlen;
  
!     if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
! 	|| strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
  	errpkt(dat, dat_len, KADM_BAD_VER);
  	return KADM_BAD_VER;
      }
      in_len = KADM_VERSIZE;
      /* get the length */
!     if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
! 	|| (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
! 	|| (*dat_len - r_len - KADM_VERSIZE -
! 	    sizeof(krb5_ui_4) > sizeof(authent.dat))) {
! 	errpkt(dat, dat_len, KADM_LENGTH_ERROR);
  	return KADM_LENGTH_ERROR;
+     }
+ 
      in_len += retc;
      authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
      memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);