Sanity check s2length on recept.

diff --git a/sender.c b/sender.c
index a9c31bb..7d7b586 100644 (file)
--- a/sender.c
+++ b/sender.c
@@ -42,10 +42,16 @@ void read_sum_head(int f, struct sum_struct *sum)
 
        sum->count = read_int(f);
        sum->blength = read_int(f);
-       if (protocol_version < 27)
+       if (protocol_version < 27) {
                sum->s2length = csum_length;
-       else
+       } else {
                sum->s2length = read_int(f);
+               if (sum->s2length > MD4_SUM_LENGTH) {
+                       rprintf(FERROR, "Invalid checksum length %d\n",
+                           sum->s2length);
+                       exit_cleanup(RERR_PROTOCOL);
+               }
+       }
        sum->remainder = read_int(f);
 }