krb5 commit: Avoid backward seeks when reading keytab files

Greg Hudson ghudson at mit.edu
Tue Jul 7 01:04:00 EDT 2020 

https://github.com/krb5/krb5/commit/99f7ad2831a01f264c07eed42a0a3a9336b86184
commit 99f7ad2831a01f264c07eed42a0a3a9336b86184
Author: Joshua Neuheisel <jneuheisel at stsci.edu>
Date:   Fri Jul 3 11:29:26 2020 -0400

    Avoid backward seeks when reading keytab files
    
    When considering or bypassing an empty record in a keytab file, check
    for a lenth of INT32_MIN.  Otherwise we could perform a backwards
    seek, as the inverse of INT32_MIN is still negative.
    
    [ghudson at mit.edu: adjusted comments; wrote commit message]
    
    ticket: 8914

 src/lib/krb5/keytab/kt_file.c |    4 ++++
 src/tests/t_keytab.py         |    9 ++++++++-
 2 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 80db117..e510211 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -921,6 +921,8 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke
             size = ntohl(size);
 
         if (size < 0) {
+            if (size == INT32_MIN)  /* INT32_MIN inverts to itself. */
+                return KRB5_KT_FORMAT;
             if (fseek(KTFILEP(id), -size, SEEK_CUR)) {
                 return errno;
             }
@@ -1347,6 +1349,8 @@ krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_
                 return errno;
         } else if (size < 0) {
             /* Empty record; use if it's big enough, seek past otherwise. */
+            if (size == INT32_MIN)  /* INT32_MIN inverts to itself. */
+                return KRB5_KT_FORMAT;
             size = -size;
             if (size >= *size_needed) {
                 *size_needed = size;
diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
index 633f7c7..850375c 100755
--- a/src/tests/t_keytab.py
+++ b/src/tests/t_keytab.py
@@ -185,5 +185,12 @@ test_addent(realm, 'default', '-f -e aes128-cts')
 test_addent(realm, 'exp', '-f')
 test_addent(realm, 'pexp', '-f')
 
-success('Keytab-related tests')
+# Regression test for #8914: INT32_MIN length can cause backwards seek
+mark('invalid record length')
+f = open(realm.keytab, 'wb')
+f.write(b'\x05\x02\x80\x00\x00\x00')
+f.close()
+msg = 'Bad format in keytab while scanning keytab'
+realm.run([klist, '-k'], expected_code=1, expected_msg=msg)
+
 success('Keytab-related tests')

More information about the cvs-krb5 mailing list