1 files changed, 8 insertions, 4 deletions

diff --git a/bufaux.c b/bufaux.c
index 80abe890b..d3dc674ce 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -37,7 +37,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: bufaux.c,v 1.26 2002/06/23 09:46:51 deraadt Exp $");
+RCSID("$OpenBSD: bufaux.c,v 1.27 2002/06/26 08:53:12 markus Exp $");
 
 #include <openssl/bn.h>
 #include "bufaux.h"
@@ -88,6 +88,8 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value)
         bits = GET_16BIT(buf);
         /* Compute the number of binary bytes that follow. */
         bytes = (bits + 7) / 8;
+        if (bytes > 8 * 1024)
+                fatal("buffer_get_bignum: cannot handle BN of size %d", bytes);
         if (buffer_len(buffer) < bytes)
                 fatal("buffer_get_bignum: input buffer too small");
         bin = buffer_ptr(buffer);
@@ -129,13 +131,15 @@ buffer_put_bignum2(Buffer *buffer, BIGNUM *value)
         xfree(buf);
 }
 
+/* XXX does not handle negative BNs */
 void
 buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
 {
-        /**XXX should be two's-complement */
-        int len;
-        u_char *bin = buffer_get_string(buffer, (u_int *)&len);
+        u_int len;
+        u_char *bin = buffer_get_string(buffer, &len);
 
+        if (len > 8 * 1024)
+                fatal("buffer_get_bignum2: cannot handle BN of size %d", len);
         BN_bin2bn(bin, len, value);
         xfree(bin);
 }