From f6adcd6bfc1977132e7ac0bae9c9b559f051a72a Mon Sep 17 00:00:00 2001
From: domosekai <54519668+domosekai@users.noreply.github.com>
Date: Sun, 4 Jul 2021 05:53:24 +0000
Subject: [PATCH] Cedar/Connection.c: Fix buffer overflow when inserting NAT-T
 information

---
 src/Cedar/Connection.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/Cedar/Connection.c b/src/Cedar/Connection.c
index 6e917388..c7096475 100644
--- a/src/Cedar/Connection.c
+++ b/src/Cedar/Connection.c
@@ -909,20 +909,24 @@ void SendKeepAlive(CONNECTION *c, TCPSOCK *ts)
 
 	if (s->UseUdpAcceleration && udp_accel != NULL)
 	{
+		UINT required_size = 0;
+
 		if (udp_accel->MyPortNatT != 0)
 		{
-			size = MAX(size, (StrLen(UDP_NAT_T_PORT_SIGNATURE_IN_KEEP_ALIVE) + sizeof(USHORT)));
+			required_size += StrLen(UDP_NAT_T_PORT_SIGNATURE_IN_KEEP_ALIVE) + sizeof(USHORT);
 
 			insert_natt_port = true;
 		}
 
 		if (IsZeroIP(&udp_accel->MyIpNatT) == false)
 		{
-			size = MAX(size, (StrLen(UDP_NAT_T_IP_SIGNATURE_IN_KEEP_ALIVE) + sizeof(udp_accel->MyIpNatT.address)));
+			required_size += StrLen(UDP_NAT_T_IP_SIGNATURE_IN_KEEP_ALIVE) + sizeof(udp_accel->MyIpNatT.address);
 
 			insert_natt_ip = true;
 		}
 
+		size = MAX(size, required_size);
+
 	}
 
 	buf = MallocFast(size);