[17117] in Kerberos-V5-bugs
[krbdev.mit.edu #9215] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Jun 22 17:43:20 2026
From: "Greg Hudson via RT" <rt@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-2501528-1782164595-282.9215-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9215":;
Date: Mon, 22 Jun 2026 17:43:15 -0400
MIME-Version: 1.0
Reply-To: rt@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9215 >
Fix DB2 hash bitmap page count validation
In __kdb2_hash_open(), bpages is computed from the hash file header
and then used as the size argument when clearing hashp->mapp. The
mapp array has only NCACHED entries, so a malformed hash database can
cause memset() to write past the end of the array. Return EFTYPE if
the computed bitmap page count is negative or greater then NCACHED.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
https://github.com/krb5/krb5/commit/1e12220dc3609cfbe0b9662a8fa8b18143fa3e7f
Author: Bogdan Boguslavskij <bogdanb@altlinux.org>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 1e12220dc3609cfbe0b9662a8fa8b18143fa3e7f
Branch: master
src/plugins/kdb/db2/libdb2/hash/hash.c | 3 +++
1 file changed, 3 insertions(+)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
