[31546] in CVS-changelog-for-Kerberos-V5
krb5 commit: Avoid another null dereference in krb5_rd_cred()
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Thu Jun 11 17:07:19 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260611210709.B8792105210@krbdev.mit.edu>
Date: Thu, 11 Jun 2026 17:07:09 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/5031b854ad8ba6cce20cdd8c991f81dbc3f924bd
commit 5031b854ad8ba6cce20cdd8c991f81dbc3f924bd
Author: Rahul Hoysala <rahulhoysala07@gmail.com>
Date: Thu Jun 4 13:14:45 2026 +0530
Avoid another null dereference in krb5_rd_cred()
In RFC 4120, the ticket client and server principal names are optional
in KrbCredInfo, but we have always required them to be present. Add
checks to prevent null dereferences in krb5_rd_cred() if either name
is not specified.
[ghudson@mit.edu: folded check in with the end-of-list check; rewrote
comment and commit message]
ticket: 9219 (new)
tags: pullup
target_version: 1.22-next
src/lib/krb5/krb/rd_cred.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index c341eba15..80d49fd8b 100644
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -98,8 +98,9 @@ make_cred_list(krb5_context context, krb5_cred *krbcred,
goto cleanup;
info = encpart->ticket_info[i];
- if (info == NULL) {
- /* We unexpectedly reached the end of the encrypted ticket info. */
+ if (info == NULL || info->client == NULL || info->server == NULL) {
+ /* We unexpectedly reached the end of the encrypted ticket info,
+ * or the ticket info is unexpectedly missing a principal name. */
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
