[31536] in CVS-changelog-for-Kerberos-V5
krb5 commit: Avoid null dereference in krb5_rd_cred()
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Mon May 18 21:25:48 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260519012541.5E0C1105503@krbdev.mit.edu>
Date: Mon, 18 May 2026 21:25:41 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/48afa9abb89ab2176bb20624d87d010b9984fc08
commit 48afa9abb89ab2176bb20624d87d010b9984fc08
Author: TristanInSec <tristan.mtn@gmail.com>
Date: Mon May 18 11:57:21 2026 -0400
Avoid null dereference in krb5_rd_cred()
A malformed KRB-CRED message may have fewer entries in the encrypted
ticket-info list than it has in the tickets list. In each loop
iteration, check if we unexpectedly reached the end of the ticket-info
list to avoid a null dereference.
[ghudson@mit.edu: added comment; rewrote commit message]
ticket: 9211 (new)
tags: pullup
target_version: 1.22-next
src/lib/krb5/krb/rd_cred.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index d89a98ae0..c341eba15 100644
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -98,6 +98,11 @@ make_cred_list(krb5_context context, krb5_cred *krbcred,
goto cleanup;
info = encpart->ticket_info[i];
+ if (info == NULL) {
+ /* We unexpectedly reached the end of the encrypted ticket info. */
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
ret = krb5_copy_principal(context, info->client, &list[i]->client);
if (ret)
goto cleanup;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
