don't blindly trust rlen; from Heimdal 0.5.1

crypto/dist/heimdal/kadmin/version4.c

@@ -42,7 +42,7 @@
 #include <kadm_err.h>
 
 __RCSID("$Heimdal: version4.c,v 1.26 2002/09/10 15:20:46 joda Exp $"
-        "$NetBSD: version4.c,v 1.1.1.4 2002/09/12 12:41:39 joda Exp $");
+        "$NetBSD: version4.c,v 1.2 2002/10/21 19:39:51 joda Exp $");
 
 #define KADM_NO_OPCODE -1
 #define KADM_NO_ENCRYPT -2
@@ -823,6 +823,13 @@ decode_packet(krb5_context context,
     off += _krb5_get_int(msg + off, &rlen, 4);
     memset(&authent, 0, sizeof(authent));
     authent.length = message.length - rlen - KADM_VERSIZE - 4;
+
+    if(authent.length >= MAX_KTXT_LEN) {
+	krb5_warnx(context, "received bad rlen (%lu)", (unsigned long)rlen);
+	make_you_loose_packet (KADM_LENGTH_ERROR, reply);
+	return;
+    }
+
     memcpy(authent.dat, (char*)msg + off, authent.length);
     off += authent.length;