[17070] in Kerberos-V5-bugs
[krbdev.mit.edu #9193] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Sun Jan 25 04:32:49 2026
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-3640876-1769328766-571.9193-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9193":;
Date: Sun, 25 Jan 2026 03:12:46 -0500
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Sun Jan 25 03:12:46 2026: Request 9193 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson@mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9193 >
Fix uninitialized pointer dereference in libkrad
Commit 871125fea8ce0370a972bf65f7d1de63f619b06c changed
krad_packet_decode_request() to use a local variable "req" to hold the
decoded packet until it is verified, instead of immediately storing
into the caller's *reqpkt. The code to check for duplicate packets
erroneously continues to use *reqpkt, causing a read dereference of
whatever was in *reqpkt on entry to the function (typically null or an
uninitialized value). Fix the code to use req instead of *reqpkt.
This bug does not affect the KDC (which only uses libkrad as a
client), but can crash external software using libkrad as a server if
it ever processes more than one packet at a time.
[ghudson@mit.edu: edited commit message]
https://github.com/krb5/krb5/commit/f74a1b3fcde44cfa0d487973fd47a943cda49dc8
Author: Julien Rische <jrische@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: f74a1b3fcde44cfa0d487973fd47a943cda49dc8
Branch: master
src/lib/krad/packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
