[31456] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.21]: Fix potential PAC processing crash
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Mon Aug 4 18:32:14 2025
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20250804223211.3026A103EB9@krbdev.mit.edu>
Date: Mon, 4 Aug 2025 18:32:11 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/79b244de8be6902a4af2c78e6619a815a1df8722
commit 79b244de8be6902a4af2c78e6619a815a1df8722
Author: Arjun <pkillarjun@protonmail.com>
Date: Fri Oct 11 08:52:52 2024 +0530
Fix potential PAC processing crash
An input to krb5_pac_parse() with a zero-length buffer at the end of
the PAC can cause an assertion failure in k5_pac_locate_buffer() due
to an off-by-one error. Correct the assertion.
[ghudson@mit.edu: edited commit message]
(cherry picked from commit 331e393c6def46c00b6b54e1b2a0d1080c2af9e0)
ticket: 9144
version_fixed: 1.21.4
src/lib/krb5/krb/pac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 77adcd272..909196b8d 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -146,7 +146,7 @@ k5_pac_locate_buffer(krb5_context context, const krb5_pac pac, uint32_t type,
if (buffer == NULL)
return ENOENT;
- assert(buffer->offset < pac->data.length);
+ assert(buffer->offset <= pac->data.length);
assert(buffer->size <= pac->data.length - buffer->offset);
if (data_out != NULL)
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
