[31524] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit [krb5-1.22]: Prevent read overrun in libkdb_ldap

daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Thu Apr 23 18:25:58 2026

From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260423222551.AD9BC105055@krbdev.mit.edu>
Date: Thu, 23 Apr 2026 18:25:51 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: multipart/mixed; boundary="===============2075677009278596051=="
Errors-To: cvs-krb5-bounces@mit.edu

--===============2075677009278596051==
Content-Type: text/plain

https://github.com/krb5/krb5/commit/974a8875767a2f375669f84b176c7d98a7c85a20
commit 974a8875767a2f375669f84b176c7d98a7c85a20
Author: Sebastián Alba <sebasjosue84@gmail.com>
Date:   Wed Apr 8 18:32:25 2026 -0400

    Prevent read overrun in libkdb_ldap
    
    In berval2tl_data(), reject inputs of length less than 2 to prevent an
    integer underflow and subsequent read overrun.  (The security impact
    is negligible as the attacker would have to control the KDB LDAP
    server.)
    
    [ghudson@mit.edu: wrote commit message]
    
    (cherry picked from commit 2a5fd83d4436583f2ddc0e193269a4d800ee45c4)
    
    ticket: 9206
    version_fixed: 1.22.3

 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ae4e03f8c..525e8d027 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -80,6 +80,9 @@ getstringtime(krb5_timestamp);
 krb5_error_code
 berval2tl_data(struct berval *in, krb5_tl_data **out)
 {
+    if (in->bv_len < 2)
+        return EINVAL;
+
     *out = (krb5_tl_data *) malloc (sizeof (krb5_tl_data));
     if (*out == NULL)
         return ENOMEM;

--===============2075677009278596051==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5

--===============2075677009278596051==--
home help back first fref pref prev next nref lref last post