[16574] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

Re: [krbdev.mit.edu #8914] Invalid negative record length in keytab

daemon@ATHENA.MIT.EDU (Joshua Neuheisel via RT)
Thu Jul 2 21:18:34 2020

From: "Joshua Neuheisel via RT" <rt@krbdev.mit.edu>
In-Reply-To: <816413C4-3089-4C3F-BC97-23D331677452@stsci.edu>
Message-ID: <rt-4.4.4-81809-1593739107-1359.8914-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8914":;
Date: Thu, 02 Jul 2020 21:18:27 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu


<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8914 >

Here's a patch to fail fast with a format error. It's not much code but still protects against this unlikely edge case.

--- /krb5-1.18.2.orig/src/lib/krb5/keytab/kt_file.c	2020-05-22 00:21:40.000000000 +0000
+++ /krb5-1.18.2/src/lib/krb5/keytab/kt_file.c	2020-07-01 19:16:42.000000000 +0000
@@ -921,6 +921,9 @@
             size = ntohl(size);
 
         if (size < 0) {
+            if (size == INT32_MIN)
+                return KRB5_KT_FORMAT;
+
             if (fseek(KTFILEP(id), -size, SEEK_CUR)) {
                 return errno;
             }
@@ -1347,6 +1350,8 @@
                 return errno;
         } else if (size < 0) {
             /* Empty record; use if it's big enough, seek past otherwise. */
+            if (size == INT32_MIN)
+                return KRB5_KT_FORMAT;
             size = -size;
             if (size >= *size_needed) {
                 *size_needed = size;
--- /krb5-1.18.2.orig/src/tests/t_keytab.py	2020-05-22 00:21:40.000000000 +0000
+++ /krb5-1.18.2/src/tests/t_keytab.py	2020-07-03 00:58:00.000000000 +0000
@@ -185,5 +185,13 @@
 test_addent(realm, 'exp', '-f')
 test_addent(realm, 'pexp', '-f')
 
+# Test for proper INT32_MIN record length handling.
+mark('invalid record length')
+f = open(realm.keytab, 'wb')
+f.write(b'\x05\x02\x80\x00\x00\x00')
+f.close()
+msg = 'Bad format in keytab while scanning keytab'
+realm.run([klist, '-k'], expected_code=1, expected_msg=msg)
+
 success('Keytab-related tests')
 success('Keytab-related tests')


_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
home help back first fref pref prev next nref lref last post