[16561] in Kerberos-V5-bugs
[krbdev.mit.edu #8914] Invalid negative record length in keytab file
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Fri Jun 12 18:38:42 2020
From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To: <07C4B3B3-2D0B-4299-B6D5-7A370FC6736D@stsci.edu>
Message-ID: <rt-4.4.4-127825-1592001514-1242.8914-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8914":;
Date: Fri, 12 Jun 2020 18:38:34 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8914 >
There are two reasonable ways to react to a length value of -2^31: throw an
error because the size of the purported hole is absurdly large, or skip forward
2^31 bytes. (The value is absurd because an entry is only a little bit longer
than the marshalled principal name, and a principal name shouldn't marshal to
anywhere near 2^31 bytes.)
To throw an error we can simply add a comparison to INT32_MIN.
Handling the value as stated would require more work. If we could assume that
long is 64 bits, it would be fairly easy; we'd just have to adjust the
marshalling code so that the variable size is of type long instead of int32_t.
But we can't assume that long is 64 bits, even in the steady state (long is
still 32 bits on 64-bit Windows), so we'd have to abandon stdio and use POSIX
I/O. That almost certainly isn't worth it.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
