[31521] in CVS-changelog-for-Kerberos-V5
krb5 commit: Prevent read overrun in libkdb_ldap
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Sat Apr 18 17:49:41 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260418214934.15E331042A5@krbdev.mit.edu>
Date: Sat, 18 Apr 2026 17:49:34 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: multipart/mixed; boundary="===============7016493245866259106=="
Errors-To: cvs-krb5-bounces@mit.edu
--===============7016493245866259106==
Content-Type: text/plain
https://github.com/krb5/krb5/commit/2a5fd83d4436583f2ddc0e193269a4d800ee45c4
commit 2a5fd83d4436583f2ddc0e193269a4d800ee45c4
Author: Sebastián Alba <sebasjosue84@gmail.com>
Date: Wed Apr 8 18:32:25 2026 -0400
Prevent read overrun in libkdb_ldap
In berval2tl_data(), reject inputs of length less than 2 to prevent an
integer underflow and subsequent read overrun. (The security impact
is negligible as the attacker would have to control the KDB LDAP
server.)
[ghudson@mit.edu: wrote commit message]
ticket: 9206 (new)
tags: pullup
target_version: 1.22-next
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 418d253d1..9aa68bacd 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -80,6 +80,9 @@ getstringtime(krb5_timestamp);
krb5_error_code
berval2tl_data(struct berval *in, krb5_tl_data **out)
{
+ if (in->bv_len < 2)
+ return EINVAL;
+
*out = (krb5_tl_data *) malloc (sizeof (krb5_tl_data));
if (*out == NULL)
return ENOMEM;
--===============7016493245866259106==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
--===============7016493245866259106==--
