[31512] in CVS-changelog-for-Kerberos-V5
krb5 commit: Prevent read overrun in svc_auth_gssapi
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Mon Mar 23 14:59:05 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260323185859.EF30E1049C3@krbdev.mit.edu>
Date: Mon, 23 Mar 2026 14:58:59 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/f8a0bee0a54ba0d96804631a3261ecd233051863
commit f8a0bee0a54ba0d96804631a3261ecd233051863
Author: Rahul Hoysala <rahulhoysala07@gmail.com>
Date: Sat Mar 21 12:29:44 2026 +0530
Prevent read overrun in svc_auth_gssapi
In gssrpc__svcauth_gssapi(), check that the client handle length is at
least 4, to prevent an out-of-bounds read by get_client().
[ghudson@mit.edu: combined length<4 check with length==0 check;
rewrote commit message]
ticket: 9201 (new)
tags: pullup
target_version: 1.22-next
src/lib/rpc/svc_auth_gssapi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
index 267c1545b..4be1e0433 100644
--- a/src/lib/rpc/svc_auth_gssapi.c
+++ b/src/lib/rpc/svc_auth_gssapi.c
@@ -253,8 +253,8 @@ enum auth_stat gssrpc__svcauth_gssapi(
goto error;
}
} else {
- if (creds.client_handle.length == 0) {
- PRINTF(("svcauth_gssapi: expected non-empty creds\n"));
+ if (creds.client_handle.length < 4) {
+ PRINTF(("svcauth_gssapi: expected creds length at least 4\n"));
LOG_MISCERR("protocol error in client credentials");
ret = AUTH_FAILED;
goto error;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
