krb5 commit: Fix recently-introduced profile parsing bugs

ghudson at mit.edu ghudson at mit.edu
Tue May 28 16:48:24 EDT 2024 

https://github.com/krb5/krb5/commit/e85e30234f0e0e250a00e5f3468bb7311a7d3fb2
commit e85e30234f0e0e250a00e5f3468bb7311a7d3fb2
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue May 21 19:10:50 2024 -0400

    Fix recently-introduced profile parsing bugs
    
    When parsing a "}", do not ascend to the parent node if we are still
    within a discarded section after decrementing group_level, as we did
    not descend into a child node at the beginning of the subsection.
    (Discovered by OSS-Fuzz.)
    
    Also adjust the level check to take into account the shifted meaning
    of state->group_level, so that we properly reject a "}" within a
    top-level section.
    
    Both bugs were introduced in commit
    f951625e6bd3ff44f1056958b56e35a1a043e362.

 src/util/profile/final6.ini   |  7 +++++++
 src/util/profile/prof_parse.c | 14 +++++++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/src/util/profile/final6.ini b/src/util/profile/final6.ini
index c1e44b747..0035c474e 100644
--- a/src/util/profile/final6.ini
+++ b/src/util/profile/final6.ini
@@ -25,6 +25,13 @@
 	bb = {
 		bba = 2
 	}
+	# Regression test for a bug where each subsection within a
+	# discarded section caused the parser to ascend into the
+	# parent node without descending into a child node first.
+	bb = {
+	}
+	bb = {
+	}
 
 [c]
 	ca* = {
diff --git a/src/util/profile/prof_parse.c b/src/util/profile/prof_parse.c
index c581fb722..2e329de4e 100644
--- a/src/util/profile/prof_parse.c
+++ b/src/util/profile/prof_parse.c
@@ -124,18 +124,22 @@ static errcode_t parse_std_line(char *line, struct parse_state *state)
         return 0;
     }
     if (ch == '}') {
-        if (state->group_level == 0)
+        if (state->group_level < 2)
             return PROF_EXTRA_CBRACE;
         if (*(cp+1) == '*')
             profile_make_node_final(state->current_section);
-        retval = profile_get_node_parent(state->current_section,
-                                         &state->current_section);
-        if (retval)
-            return retval;
         state->group_level--;
         /* Check if we are done discarding values from a subsection. */
         if (state->group_level < state->discard)
             state->discard = 0;
+        /* Ascend to the current node's parent, unless the subsection we ended
+         * was discarded (in which case we never descended). */
+        if (!state->discard) {
+            retval = profile_get_node_parent(state->current_section,
+                                             &state->current_section);
+            if (retval)
+                return retval;
+        }
         return 0;
     }
     /*

More information about the cvs-krb5 mailing list