[31500] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.22]: Fix uninitialized pointer dereference in
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Tue Jan 27 23:49:17 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260128044912.5857B10430D@krbdev.mit.edu>
Date: Tue, 27 Jan 2026 23:49:12 -0500 (EST)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/a9b673942100bdb9568d4ed8cf0d05bf7211d803
commit a9b673942100bdb9568d4ed8cf0d05bf7211d803
Author: Julien Rische <jrische@redhat.com>
Date: Wed Jan 21 11:31:39 2026 +0100
Fix uninitialized pointer dereference in libkrad
Commit 871125fea8ce0370a972bf65f7d1de63f619b06c changed
krad_packet_decode_request() to use a local variable "req" to hold the
decoded packet until it is verified, instead of immediately storing
into the caller's *reqpkt. The code to check for duplicate packets
erroneously continues to use *reqpkt, causing a read dereference of
whatever was in *reqpkt on entry to the function (typically null or an
uninitialized value). Fix the code to use req instead of *reqpkt.
This bug does not affect the KDC (which only uses libkrad as a
client), but can crash external software using libkrad as a server if
it ever processes more than one packet at a time.
[ghudson@mit.edu: edited commit message]
(cherry picked from commit f74a1b3fcde44cfa0d487973fd47a943cda49dc8)
ticket: 9193
version_fixed: 1.22.2
src/lib/krad/packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/krad/packet.c b/src/lib/krad/packet.c
index d0a43431b..ae1f6df7d 100644
--- a/src/lib/krad/packet.c
+++ b/src/lib/krad/packet.c
@@ -562,7 +562,7 @@ krad_packet_decode_request(krb5_context ctx, const char *secret,
if (cb != NULL) {
for (tmp = (*cb)(data, FALSE); tmp != NULL; tmp = (*cb)(data, FALSE)) {
- if (pkt_id_get(*reqpkt) == pkt_id_get(tmp))
+ if (pkt_id_get(req) == pkt_id_get(tmp))
break;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
