[31558] in CVS-changelog-for-Kerberos-V5
krb5 commit: Prevent integer overrun in keytab parsing
daemon@ATHENA.MIT.EDU (ghudson@mit.edu)
Wed Jul 15 16:30:30 2026
From: ghudson@mit.edu
To: cvs-krb5@mit.edu
Message-Id: <20260715203021.437FF101C60@krbdev.mit.edu>
Date: Wed, 15 Jul 2026 16:30:21 -0400 (EDT)
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/c5629fdffee70a296429d580a890e21c6fa17665
commit c5629fdffee70a296429d580a890e21c6fa17665
Author: Greg Hudson <ghudson@mit.edu>
Date: Sat Jul 11 19:43:08 2026 -0400
Prevent integer overrun in keytab parsing
In krb5_ktfileint_internal_read_entry(), once we have read the size
and determined the starting point of a keytab record, bounds-check the
size to prevent an integer overflow when we seek to the next record.
(Discovered by OSS-Fuzz.)
ticket: 9224 (new)
tags: pullup
target_version: 1.22-next
bigredbutton: whitespace
src/lib/krb5/keytab/kt_file.c | 2 ++
src/tests/fuzzing/fuzz_keytab_seed_corpus/big_size | Bin 0 -> 28 bytes
2 files changed, 2 insertions(+)
diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 00fb072d9..562990a89 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -935,6 +935,8 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke
}
start_pos = ftell(KTFILEP(id));
+ if (size > INT32_MAX - start_pos)
+ return KRB5_KT_FORMAT;
/* deal with guts of parsing... */
diff --git a/src/tests/fuzzing/fuzz_keytab_seed_corpus/big_size b/src/tests/fuzzing/fuzz_keytab_seed_corpus/big_size
new file mode 100644
index 000000000..7a1e6c2c5
Binary files /dev/null and b/src/tests/fuzzing/fuzz_keytab_seed_corpus/big_size differ
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5