1 files changed, 14 insertions, 4 deletions

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 3748cd7c24..f03c290a3e 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -114,14 +114,14 @@
 
 
 #include <stdio.h>
+#include "ssl_locl.h"
+#include "kssl_lcl.h"
 #include <openssl/buffer.h>
 #include <openssl/rand.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/krb5_asn.h>
-#include "ssl_locl.h"
-#include "kssl_lcl.h"
 #include <openssl/md5.h>
 
 static SSL_METHOD *ssl3_get_server_method(int ver);
@@ -1560,8 +1560,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
                 EVP_CIPHER              *enc = NULL;
                 unsigned char           iv[EVP_MAX_IV_LENGTH];
                 unsigned char           pms[SSL_MAX_MASTER_KEY_LENGTH
-                                                + EVP_MAX_IV_LENGTH + 1];
-                int                     padl, outl = sizeof(pms);
+                                               + EVP_MAX_BLOCK_LENGTH];
+                int                     padl, outl;
                 krb5_timestamp          authtime = 0;
                 krb5_ticket_times       ttimes;
 
@@ -1584,6 +1584,16 @@ static int ssl3_get_client_key_exchange(SSL *s)
                 enc_pms.data = (char *)p;
                 p+=enc_pms.length;
 
+                /* Note that the length is checked again below,
+                ** after decryption
+                */
+                if(enc_pms.length > sizeof pms)
+                        {
+                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+                               SSL_R_DATA_LENGTH_TOO_LONG);
+                        goto err;
+                        }
+
                 if (n != enc_ticket.length + authenticator.length +
                                                 enc_pms.length + 6)
                         {