[17102] in Kerberos-V5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[krbdev.mit.edu #9209] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Sat May 16 18:37:09 2026

From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To: 
Message-ID: <rt-4.4.3-2-2407424-1778971024-576.9209-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9209":;
Date: Sat, 16 May 2026 18:37:04 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu


Sat May 16 18:37:04 2026: Request 9209 was acted upon.
 Transaction: Ticket created by ghudson@mit.edu
       Queue: krb5
     Subject: git commit
       Owner: ghudson@mit.edu
  Requestors: 
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9209 >



Validate lengths when deserializing

When unmarshalling data structures using the krb5_ser_ functions,
bound-check lengths (including array counts) against the remaining
number of bytes to prevent large allocations, integer overflows, and a
potential read overrun in mspac_internalize().  Add an internal helper
function k5_ser_unpack_len() for this purpose.

[ghudson@mit.edu: added helper; added bounds checks for additional
lengths; rewrote commit message]

https://github.com/krb5/krb5/commit/63ae6a8d99ce89258d732f7561233f60df533fa9
Author: TristanInSec <tristan.mtn@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 63ae6a8d99ce89258d732f7561233f60df533fa9
Branch: master
 src/include/k5-int.h                      |  3 +++
 src/lib/gssapi/krb5/ser_sctx.c            |  6 ++++++
 src/lib/krb5/krb/authdata.c               |  5 ++---
 src/lib/krb5/krb/pac.c                    | 13 ++++++-------
 src/lib/krb5/krb/ser_actx.c               |  5 ++---
 src/lib/krb5/krb/ser_adata.c              | 13 ++++++-------
 src/lib/krb5/krb/ser_addr.c               | 12 ++++++------
 src/lib/krb5/krb/ser_auth.c               | 15 +++++----------
 src/lib/krb5/krb/ser_cksum.c              | 14 ++++++--------
 src/lib/krb5/krb/ser_ctx.c                | 18 +++++++++---------
 src/lib/krb5/krb/ser_key.c                | 11 +++++------
 src/lib/krb5/krb/ser_princ.c              | 11 +++++------
 src/lib/krb5/krb/serialize.c              | 18 ++++++++++++++++++
 src/lib/krb5/libkrb5.exports              |  1 +
 src/plugins/authdata/greet_client/greet.c |  2 ++
 15 files changed, 82 insertions(+), 65 deletions(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[17102] in Kerberos-V5-bugs

[krbdev.mit.edu #9209] git commit

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)Sat May 16 18:37:09 2026

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Sat May 16 18:37:09 2026