[31545] in CVS-changelog-for-Kerberos-V5
krb5 commit: Better validate key_data_ver in iprop decoding
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Wed Jun 10 16:12:47 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260610201241.620A910554A@krbdev.mit.edu>
Date: Wed, 10 Jun 2026 16:12:41 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/7262b0f49e3c37b7237280a1b2e38228831a795d
commit 7262b0f49e3c37b7237280a1b2e38228831a795d
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Jun 4 13:46:34 2026 -0400
Better validate key_data_ver in iprop decoding
In ulog_conv_2dbentry(), when decoding an update's AT_KEYDATA
attribute, the decoded key_data_ver value is used as a bound on the
enctype and contents fields. Verify that this value does not exceed
the sizes of the update's enctype and contents XDR arrays, to prevent
reading past the end of those arrays. Also check against the expected
lower bound. Reported by Haruki Oyama.
ticket: 9218 (new)
tags: pullup
target_version: 1.22-next
src/lib/kdb/kdb_convert.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/lib/kdb/kdb_convert.c b/src/lib/kdb/kdb_convert.c
index 59952f55e..1231abc4f 100644
--- a/src/lib/kdb/kdb_convert.c
+++ b/src/lib/kdb/kdb_convert.c
@@ -677,8 +677,10 @@ ulog_conv_2dbentry(krb5_context context, krb5_db_entry **entry,
kdbe_key_t *kv = &ULOG_ENTRY_KEYVAL(update, i, j);
kp->key_data_ver = (krb5_int16)kv->k_ver;
kp->key_data_kvno = (krb5_ui_2)kv->k_kvno;
- if (kp->key_data_ver > 2) {
- ret = EINVAL; /* XXX ? */
+ if (kp->key_data_ver < 1 || kp->key_data_ver > 2 ||
+ (u_int)kp->key_data_ver > kv->k_enctype.k_enctype_len ||
+ (u_int)kp->key_data_ver > kv->k_contents.k_contents_len) {
+ ret = EINVAL;
goto cleanup;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
