From: Pekka Riikonen <priikone@silcnet.org>
Date: Fri, 3 Oct 2003 07:29:29 +0000 (+0000)
Subject: 	Fixed possible exploit.  The buffer length is now compared
X-Git-Tag: silc.toolkit.0.9.10~22
X-Git-Url: http://git.silcnet.org/gitweb/?a=commitdiff_plain;h=1d0a389b1fd6cc2512398ac27e9d820b2716996f;p=silc.git

	Fixed possible exploit.  The buffer length is now compared
	correctlyy against the length from the data.
---

diff --git a/lib/silccore/silcpacket.c b/lib/silccore/silcpacket.c
index 7bac3681..00c4b5e9 100644
--- a/lib/silccore/silcpacket.c
+++ b/lib/silccore/silcpacket.c
@@ -527,13 +527,13 @@ static int silc_packet_decrypt(SilcCipher cipher, SilcHmac hmac,
       len = (((SilcUInt8)buffer->data[4] + (SilcUInt8)buffer->data[6] + 
 	      (SilcUInt8)buffer->data[7] + SILC_PACKET_HEADER_LEN) -
 	     block_len);
+      silc_buffer_pull(buffer, block_len);
 
       if (len > buffer->len) {
 	SILC_LOG_ERROR(("Garbage in header of packet, bad packet length, "
 			"packet dropped"));
 	return -1;
       }
-      silc_buffer_pull(buffer, block_len);
       if (!silc_cipher_decrypt(cipher, buffer->data, buffer->data,
 			       len, NULL)) {
 	SILC_LOG_ERROR(("silc_cipher_decrypt failed"));