[31535] in CVS-changelog-for-Kerberos-V5
krb5 commit: Use k5_ser_unpack_len() to simplify code
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Sat May 16 18:37:12 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260516223704.96A761054F5@krbdev.mit.edu>
Date: Sat, 16 May 2026 18:37:04 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/118f7da5ddd446a5efcedc8343b6c7aefef47742
commit 118f7da5ddd446a5efcedc8343b6c7aefef47742
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed May 13 22:44:48 2026 -0400
Use k5_ser_unpack_len() to simplify code
Export k5_ser_unpack_len() as a private symbol and use it in GSS
context serialization. Use it in libkrb5 to replace existing bounds
checks.
src/lib/gssapi/krb5/ser_sctx.c | 37 +++++++++++--------------------
src/lib/krb5/krb/ai_authdata.c | 14 +++---------
src/lib/krb5/krb/authdata.c | 9 ++------
src/lib/krb5_32.def | 6 ++++-
src/plugins/authdata/greet_client/greet.c | 9 +++-----
5 files changed, 26 insertions(+), 49 deletions(-)
diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c
index 2e82be903..0c18f37b7 100644
--- a/src/lib/gssapi/krb5/ser_sctx.c
+++ b/src/lib/gssapi/krb5/ser_sctx.c
@@ -65,7 +65,7 @@ kg_oid_internalize(gss_OID *argp, krb5_octet **buffer, size_t *lenremain)
gss_OID oid;
krb5_int32 ibuf;
krb5_octet *bp;
- size_t remain;
+ size_t remain, len;
bp = *buffer;
remain = *lenremain;
@@ -80,16 +80,12 @@ kg_oid_internalize(gss_OID *argp, krb5_octet **buffer, size_t *lenremain)
oid = (gss_OID) malloc(sizeof(gss_OID_desc));
if (oid == NULL)
return ENOMEM;
- if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) {
- free(oid);
- return EINVAL;
- }
- if (ibuf < 0 || (size_t)ibuf > remain) {
+ if (k5_ser_unpack_len(&len, &bp, &remain)) {
free(oid);
return EINVAL;
}
- oid->length = ibuf;
- oid->elements = malloc((size_t)ibuf);
+ oid->length = len;
+ oid->elements = malloc(len);
if (oid->elements == 0) {
free(oid);
return ENOMEM;
@@ -493,7 +489,7 @@ kg_ctx_internalize(krb5_context kcontext, krb5_gss_ctx_id_t *argp,
krb5_gss_ctx_id_rec *ctx;
krb5_int32 ibuf;
krb5_octet *bp;
- size_t remain;
+ size_t remain, len, i;
krb5int_access kaccess;
krb5_principal princ;
@@ -635,21 +631,14 @@ kg_ctx_internalize(krb5_context kcontext, krb5_gss_ctx_id_t *argp,
ctx->cred_rcache = ibuf;
/* authdata */
if (!kret)
- kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain);
- if (!kret && (ibuf < 0 || (size_t)ibuf > remain))
- kret = ENOMEM;
- if (!kret) {
- krb5_int32 nadata = ibuf, i;
-
- if (nadata > 0) {
- ctx->authdata = (krb5_authdata **)calloc((size_t)nadata + 1,
- sizeof(krb5_authdata *));
- if (ctx->authdata == NULL) {
- kret = ENOMEM;
- } else {
- for (i = 0; !kret && i < nadata; i++)
- kret = k5_internalize_authdata(&ctx->authdata[i],
- &bp, &remain);
+ kret = k5_ser_unpack_len(&len, &bp, &remain);
+ if (!kret && len > 0) {
+ ctx->authdata = k5calloc(len + 1, sizeof(*ctx->authdata),
+ &kret);
+ if (ctx->authdata != NULL) {
+ for (i = 0; !kret && i < len; i++) {
+ kret = k5_internalize_authdata(&ctx->authdata[i],
+ &bp, &remain);
}
}
}
diff --git a/src/lib/krb5/krb/ai_authdata.c b/src/lib/krb5/krb/ai_authdata.c
index d3f671883..adcc780df 100644
--- a/src/lib/krb5/krb/ai_authdata.c
+++ b/src/lib/krb5/krb/ai_authdata.c
@@ -259,19 +259,15 @@ authind_internalize(krb5_context kcontext, krb5_authdata_context context,
{
struct authind_context *aictx = request_context;
krb5_error_code ret;
- int32_t count, len, i;
uint8_t *bp = *buffer;
- size_t remain = *lenremain;
+ size_t remain = *lenremain, len, count, i;
krb5_data **inds = NULL;
/* Get the count. */
- ret = krb5_ser_unpack_int32(&count, &bp, &remain);
+ ret = k5_ser_unpack_len(&count, &bp, &remain);
if (ret)
return ret;
- if (count < 0 || (size_t)count > remain)
- return ERANGE;
-
if (count > 0) {
inds = k5calloc(count + 1, sizeof(*inds), &ret);
if (inds == NULL)
@@ -280,13 +276,9 @@ authind_internalize(krb5_context kcontext, krb5_authdata_context context,
for (i = 0; i < count; i++) {
/* Get the length. */
- ret = krb5_ser_unpack_int32(&len, &bp, &remain);
+ ret = k5_ser_unpack_len(&len, &bp, &remain);
if (ret)
goto cleanup;
- if (len < 0 || (size_t)len > remain) {
- ret = ERANGE;
- goto cleanup;
- }
/* Get the indicator. */
inds[i] = k5alloc(sizeof(*inds[i]), &ret);
diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c
index 30c3d618d..733370cd7 100644
--- a/src/lib/krb5/krb/authdata.c
+++ b/src/lib/krb5/krb/authdata.c
@@ -326,18 +326,13 @@ k5_ad_internalize(krb5_context kcontext,
for (i = 0; i < count; i++) {
struct _krb5_authdata_context_module *module;
- krb5_int32 namelen;
+ size_t namelen;
krb5_data name;
- code = krb5_ser_unpack_int32(&namelen, &bp, &remain);
+ code = k5_ser_unpack_len(&namelen, &bp, &remain);
if (code != 0)
break;
- if (remain < (size_t)namelen) {
- code = ENOMEM;
- break;
- }
-
name.length = namelen;
name.data = (char *)bp;
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 23ad3f402..91f60a456 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -517,7 +517,11 @@ EXPORTS
encode_krb5_pkinit_supp_pub_info @478 ; PRIVATE
krb5int_copy_data_contents @479 ; PRIVATE
krb5_free_pa_data @480 ; PRIVATE
-; private symbols new in 1.23, used by klist
+
+; new in 1.23
+; private symbols used by klist
k5_unwrap_cammac_svc @481 ; PRIVATE
k5_authind_decode @482 ; PRIVATE
k5_free_data_ptr_list @483 ; PRIVATE
+; private symbol used by GSSAPI serialization
+ k5_ser_unpack_len @484 ; PRIVATE
diff --git a/src/plugins/authdata/greet_client/greet.c b/src/plugins/authdata/greet_client/greet.c
index 3d1a9570c..778ce7c9f 100644
--- a/src/plugins/authdata/greet_client/greet.c
+++ b/src/plugins/authdata/greet_client/greet.c
@@ -335,22 +335,19 @@ greet_internalize(krb5_context kcontext,
{
struct greet_context *greet = (struct greet_context *)request_context;
krb5_error_code code;
- krb5_int32 length;
krb5_octet *contents = NULL;
krb5_int32 verified;
krb5_int32 was_absent;
krb5_octet *bp;
- size_t remain;
+ size_t remain, length;
bp = *buffer;
remain = *lenremain;
/* Greeting Length */
- code = krb5_ser_unpack_int32(&length, &bp, &remain);
+ code = k5_ser_unpack_len(&length, &bp, &remain);
if (code != 0)
return code;
- if (length < 0 || (size_t)length > remain)
- return ENOMEM;
/* Greeting Contents */
if (length != 0) {
@@ -358,7 +355,7 @@ greet_internalize(krb5_context kcontext,
if (contents == NULL)
return ENOMEM;
- code = krb5_ser_unpack_bytes(contents, (size_t)length, &bp, &remain);
+ code = krb5_ser_unpack_bytes(contents, length, &bp, &remain);
if (code != 0) {
free(contents);
return code;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
