[31522] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.22]: Prevent read overrun in svc_auth_gssapi
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Thu Apr 23 18:25:45 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260423222539.870F310503F@krbdev.mit.edu>
Date: Thu, 23 Apr 2026 18:25:39 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/9d9487956766f74485a32de6ad0f628f4251a6f0
commit 9d9487956766f74485a32de6ad0f628f4251a6f0
Author: Rahul Hoysala <rahulhoysala07@gmail.com>
Date: Sat Mar 21 12:29:44 2026 +0530
Prevent read overrun in svc_auth_gssapi
In gssrpc__svcauth_gssapi(), check that the client handle length is at
least 4, to prevent an out-of-bounds read by get_client().
[ghudson@mit.edu: combined length<4 check with length==0 check;
rewrote commit message]
(cherry picked from commit f8a0bee0a54ba0d96804631a3261ecd233051863)
ticket: 9201
version_fixed: 1.22.3
src/lib/rpc/svc_auth_gssapi.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
index 267c1545b..4be1e0433 100644
--- a/src/lib/rpc/svc_auth_gssapi.c
+++ b/src/lib/rpc/svc_auth_gssapi.c
@@ -253,8 +253,8 @@ enum auth_stat gssrpc__svcauth_gssapi(
goto error;
}
} else {
- if (creds.client_handle.length == 0) {
- PRINTF(("svcauth_gssapi: expected non-empty creds\n"));
+ if (creds.client_handle.length < 4) {
+ PRINTF(("svcauth_gssapi: expected creds length at least 4\n"));
LOG_MISCERR("protocol error in client credentials");
ret = AUTH_FAILED;
goto error;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
