krb5 commit [krb5-1.13]: Check princ length in krb5_sname_match()
Tom Yu
tlyu at mit.edu
Wed Jul 6 16:32:55 EDT 2016
https://github.com/krb5/krb5/commit/685cb577890bc565ab122bc65027e177c180e12f
commit 685cb577890bc565ab122bc65027e177c180e12f
Author: Greg Hudson <ghudson at mit.edu>
Date: Thu May 12 16:03:06 2016 -0400
Check princ length in krb5_sname_match()
krb5_sname_match() can read past the end of princ's component array in
some circumstances (typically when a keytab contains both "x" and
"x/y" principals). Add a length check. Reported by Spencer Jackson.
(cherry picked from commit fb9fcfa92fd37221c77e1a4c0b930383e6839e22)
ticket: 8415
version_fixed: 1.13.6
src/lib/krb5/krb/sname_match.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/src/lib/krb5/krb/sname_match.c b/src/lib/krb5/krb/sname_match.c
index 0c7bd39..9520dfc 100644
--- a/src/lib/krb5/krb/sname_match.c
+++ b/src/lib/krb5/krb/sname_match.c
@@ -36,6 +36,9 @@ krb5_sname_match(krb5_context context, krb5_const_principal matching,
if (matching->type != KRB5_NT_SRV_HST || matching->length != 2)
return krb5_principal_compare(context, matching, princ);
+ if (princ->length != 2)
+ return FALSE;
+
/* Check the realm if present in matching. */
if (matching->realm.length != 0 && !data_eq(matching->realm, princ->realm))
return FALSE;
More information about the cvs-krb5
mailing list