[29416] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Check princ length in krb5_sname_match()

daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu May 26 12:19:32 2016

Date: Thu, 26 May 2016 12:19:28 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201605261619.u4QGJSIE001122@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/fb9fcfa92fd37221c77e1a4c0b930383e6839e22
commit fb9fcfa92fd37221c77e1a4c0b930383e6839e22
Author: Greg Hudson <ghudson@mit.edu>
Date:   Thu May 12 16:03:06 2016 -0400

    Check princ length in krb5_sname_match()
    
    krb5_sname_match() can read past the end of princ's component array in
    some circumstances (typically when a keytab contains both "x" and
    "x/y" principals).  Add a length check.  Reported by Spencer Jackson.
    
    ticket: 8415
    target_version: 1.14-next
    target_version: 1.13-next
    tags: pullup

 src/lib/krb5/krb/sname_match.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/src/lib/krb5/krb/sname_match.c b/src/lib/krb5/krb/sname_match.c
index 0c7bd39..9520dfc 100644
--- a/src/lib/krb5/krb/sname_match.c
+++ b/src/lib/krb5/krb/sname_match.c
@@ -36,6 +36,9 @@ krb5_sname_match(krb5_context context, krb5_const_principal matching,
     if (matching->type != KRB5_NT_SRV_HST || matching->length != 2)
         return krb5_principal_compare(context, matching, princ);
 
+    if (princ->length != 2)
+        return FALSE;
+
     /* Check the realm if present in matching. */
     if (matching->realm.length != 0 && !data_eq(matching->realm, princ->realm))
         return FALSE;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post