[krbdev.mit.edu #8914] Invalid negative record length in keytab file
Joshua Neuheisel via RT
rt at krbdev.mit.edu
Thu Jul 2 21:18:27 EDT 2020
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8914 >
Here's a patch to fail fast with a format error. It's not much code but still protects against this unlikely edge case.
--- /krb5-1.18.2.orig/src/lib/krb5/keytab/kt_file.c 2020-05-22 00:21:40.000000000 +0000
+++ /krb5-1.18.2/src/lib/krb5/keytab/kt_file.c 2020-07-01 19:16:42.000000000 +0000
@@ -921,6 +921,9 @@
size = ntohl(size);
if (size < 0) {
+ if (size == INT32_MIN)
+ return KRB5_KT_FORMAT;
+
if (fseek(KTFILEP(id), -size, SEEK_CUR)) {
return errno;
}
@@ -1347,6 +1350,8 @@
return errno;
} else if (size < 0) {
/* Empty record; use if it's big enough, seek past otherwise. */
+ if (size == INT32_MIN)
+ return KRB5_KT_FORMAT;
size = -size;
if (size >= *size_needed) {
*size_needed = size;
--- /krb5-1.18.2.orig/src/tests/t_keytab.py 2020-05-22 00:21:40.000000000 +0000
+++ /krb5-1.18.2/src/tests/t_keytab.py 2020-07-03 00:58:00.000000000 +0000
@@ -185,5 +185,13 @@
test_addent(realm, 'exp', '-f')
test_addent(realm, 'pexp', '-f')
+# Test for proper INT32_MIN record length handling.
+mark('invalid record length')
+f = open(realm.keytab, 'wb')
+f.write(b'\x05\x02\x80\x00\x00\x00')
+f.close()
+msg = 'Bad format in keytab while scanning keytab'
+realm.run([klist, '-k'], expected_code=1, expected_msg=msg)
+
success('Keytab-related tests')
success('Keytab-related tests')
More information about the krb5-bugs
mailing list