[17076] in Kerberos-V5-bugs
[krbdev.mit.edu #9193] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Tue Jan 27 23:49:21 2026
From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-3920239-1769575756-873.9193-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9193":;
Date: Tue, 27 Jan 2026 23:49:16 -0500
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9193 >
Fix uninitialized pointer dereference in libkrad
Commit 871125fea8ce0370a972bf65f7d1de63f619b06c changed
krad_packet_decode_request() to use a local variable "req" to hold the
decoded packet until it is verified, instead of immediately storing
into the caller's *reqpkt. The code to check for duplicate packets
erroneously continues to use *reqpkt, causing a read dereference of
whatever was in *reqpkt on entry to the function (typically null or an
uninitialized value). Fix the code to use req instead of *reqpkt.
This bug does not affect the KDC (which only uses libkrad as a
client), but can crash external software using libkrad as a server if
it ever processes more than one packet at a time.
[ghudson@mit.edu: edited commit message]
(cherry picked from commit f74a1b3fcde44cfa0d487973fd47a943cda49dc8)
https://github.com/krb5/krb5/commit/a9b673942100bdb9568d4ed8cf0d05bf7211d803
Author: Julien Rische <jrische@redhat.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: a9b673942100bdb9568d4ed8cf0d05bf7211d803
Branch: krb5-1.22
src/lib/krad/packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
