rxrpc: Fix several cases where a padded len isn't checked in ticket decode

				       unsigned int *_toklen)

{

	const __be32 *xdr = *_xdr;

	unsigned int toklen = *_toklen, n_parts, loop, tmp;

	unsigned int toklen = *_toklen, n_parts, loop, tmp, paddedlen;

	/* there must be at least one name, and at least #names+1 length

	 * words */

		toklen -= 4;

		if (tmp <= 0 || tmp > AFSTOKEN_STRING_MAX)

			return -EINVAL;

		if (tmp > toklen)

		paddedlen = (tmp + 3) & ~3;

		if (paddedlen > toklen)

			return -EINVAL;

		princ->name_parts[loop] = kmalloc(tmp + 1, GFP_KERNEL);

		if (!princ->name_parts[loop])

			return -ENOMEM;

		memcpy(princ->name_parts[loop], xdr, tmp);

		princ->name_parts[loop][tmp] = 0;

		tmp = (tmp + 3) & ~3;

		toklen -= tmp;

		xdr += tmp >> 2;

		toklen -= paddedlen;

		xdr += paddedlen >> 2;

	}

	if (toklen < 4)

	toklen -= 4;

	if (tmp <= 0 || tmp > AFSTOKEN_K5_REALM_MAX)

		return -EINVAL;

	if (tmp > toklen)

	paddedlen = (tmp + 3) & ~3;

	if (paddedlen > toklen)

		return -EINVAL;

	princ->realm = kmalloc(tmp + 1, GFP_KERNEL);

	if (!princ->realm)

		return -ENOMEM;

	memcpy(princ->realm, xdr, tmp);

	princ->realm[tmp] = 0;

	tmp = (tmp + 3) & ~3;

	toklen -= tmp;

	xdr += tmp >> 2;

	toklen -= paddedlen;

	xdr += paddedlen >> 2;

	_debug("%s/...@%s", princ->name_parts[0], princ->realm);

					 unsigned int *_toklen)

{

	const __be32 *xdr = *_xdr;

	unsigned int toklen = *_toklen, len;

	unsigned int toklen = *_toklen, len, paddedlen;

	/* there must be at least one tag and one length word */

	if (toklen <= 8)

	toklen -= 8;

	if (len > max_data_size)

		return -EINVAL;

	paddedlen = (len + 3) & ~3;

	if (paddedlen > toklen)

		return -EINVAL;

	td->data_len = len;

	if (len > 0) {

		td->data = kmemdup(xdr, len, GFP_KERNEL);

		if (!td->data)

			return -ENOMEM;

		len = (len + 3) & ~3;

		toklen -= len;

		xdr += len >> 2;

		toklen -= paddedlen;

		xdr += paddedlen >> 2;

	}

	_debug("tag %x len %x", td->tag, td->data_len);

				    const __be32 **_xdr, unsigned int *_toklen)

{

	const __be32 *xdr = *_xdr;

	unsigned int toklen = *_toklen, len;

	unsigned int toklen = *_toklen, len, paddedlen;

	/* there must be at least one length word */

	if (toklen <= 4)

	toklen -= 4;

	if (len > AFSTOKEN_K5_TIX_MAX)

		return -EINVAL;

	paddedlen = (len + 3) & ~3;

	if (paddedlen > toklen)

		return -EINVAL;

	*_tktlen = len;

	_debug("ticket len %u", len);

		*_ticket = kmemdup(xdr, len, GFP_KERNEL);

		if (!*_ticket)

			return -ENOMEM;

		len = (len + 3) & ~3;

		toklen -= len;

		xdr += len >> 2;

		toklen -= paddedlen;

		xdr += paddedlen >> 2;

	}

	*_xdr = xdr;

{

	const __be32 *xdr = prep->data, *token;

	const char *cp;

	unsigned int len, tmp, loop, ntoken, toklen, sec_ix;

	unsigned int len, paddedlen, loop, ntoken, toklen, sec_ix;

	size_t datalen = prep->datalen;

	int ret;

	if (len < 1 || len > AFSTOKEN_CELL_MAX)

		goto not_xdr;

	datalen -= 4;

	tmp = (len + 3) & ~3;

	if (tmp > datalen)

	paddedlen = (len + 3) & ~3;

	if (paddedlen > datalen)

		goto not_xdr;

	cp = (const char *) xdr;

	for (loop = 0; loop < len; loop++)

		if (!isprint(cp[loop]))

			goto not_xdr;

	if (len < tmp)

		for (; loop < tmp; loop++)

	for (; loop < paddedlen; loop++)

		if (cp[loop])

			goto not_xdr;

	_debug("cellname: [%u/%u] '%*.*s'",

	       len, tmp, len, len, (const char *) xdr);

	datalen -= tmp;

	xdr += tmp >> 2;

	       len, paddedlen, len, len, (const char *) xdr);

	datalen -= paddedlen;

	xdr += paddedlen >> 2;

	/* get the token count */

	if (datalen < 12)

		sec_ix = ntohl(*xdr);

		datalen -= 4;

		_debug("token: [%x/%zx] %x", toklen, datalen, sec_ix);

		if (toklen < 20 || toklen > datalen)

		paddedlen = (toklen + 3) & ~3;

		if (toklen < 20 || toklen > datalen || paddedlen > datalen)

			goto not_xdr;

		datalen -= (toklen + 3) & ~3;

		xdr += (toklen + 3) >> 2;

		datalen -= paddedlen;

		xdr += paddedlen >> 2;

	} while (--loop > 0);