On Mon, 2010-08-30 at 23:57 +0300, Mikko Rasa wrote:

+ SIZE_T expected_size; ssize_t received = 0; ssize_t ret; int idx; - char *buf_ptr; + unsigned char *buf_ptr; unsigned int offset;

TRACE("context_handle %p, message %p, message_seq_no %d, quality %p\n", @@ -1230,12 +1243,22 @@ static SECURITY_STATUS SEC_ENTRY schan_DecryptMessage(PCtxtHandle context_handle if (idx == -1) return SEC_E_INVALID_TOKEN; buffer = &message->pBuffers[idx]; + buf_ptr = (unsigned char *)buffer->pvBuffer; + + expected_size = 5 + ((buf_ptr[3] << 8) | buf_ptr[4]); + if(buffer->cbBuffer < expected_size) + { + TRACE("Expected %u bytes, but buffer only contains %u bytes\n", expected_size, buffer->cbBuffer); + TRACE("Returning SEC_E_INCOMPLETE_MESSAGE\n"); + return SEC_E_INCOMPLETE_MESSAGE; + }

This produces a compiler warning here: schannel.c: In function ‘schan_DecryptMessage’: schannel.c:1251: warning: format ‘%u’ expects type ‘unsigned int’, but argument 5 has type ‘SIZE_T’