From f65ca7aaaa38a8e4fe8805b5dbc5e649a9534bb3 Mon Sep 17 00:00:00 2001
From: antiduh <antiduh@e114e3f1-24f7-e311-a78f-001bfcf5e160>
Date: Tue, 1 Jul 2014 01:20:08 +0000
Subject: [PATCH] Added length validation to the Decrypt and VerifySignature
 methods.

---
 NSspi/Contexts/Context.cs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/NSspi/Contexts/Context.cs b/NSspi/Contexts/Context.cs
index 16acc7b..3347866 100644
--- a/NSspi/Contexts/Context.cs
+++ b/NSspi/Contexts/Context.cs
@@ -201,6 +201,10 @@ namespace NSspi.Contexts
             paddingLength = ByteWriter.ReadInt16_BE( input, position );
             position += 2;
 
+            if ( trailerLength + dataLength + paddingLength + 2 + 4 + 2 > input.Length )
+            {
+                throw new ArgumentException( "The buffer contains invalid data - the embedded length data does not add up." );
+            }
 
             trailerBuffer = new SecureBuffer( new byte[trailerLength], BufferType.Token );
             dataBuffer = new SecureBuffer( new byte[dataLength], BufferType.Data );
@@ -351,6 +355,11 @@ namespace NSspi.Contexts
             sigLen = ByteWriter.ReadInt16_BE( signedMessage, position );
             position += 2;
 
+            if ( messageLen + sigLen + 2 + 4 > signedMessage.Length )
+            {
+                throw new ArgumentException( "The buffer contains invalid data - the embedded length data does not add up." );
+            }
+
             dataBuffer = new SecureBuffer( new byte[messageLen], BufferType.Data );
             Array.Copy( signedMessage, position, dataBuffer.Buffer, 0, messageLen );
             position += messageLen;