krb5 commit: Fix potential PAC processing crash

[ghudson at mit.edu]

https://github.com/krb5/krb5/commit/331e393c6def46c00b6b54e1b2a0d1080c2af9e0
commit 331e393c6def46c00b6b54e1b2a0d1080c2af9e0
Author: Arjun <pkillarjun at protonmail.com>
Date:   Fri Oct 11 08:52:52 2024 +0530

    Fix potential PAC processing crash
    
    An input to krb5_pac_parse() with a zero-length buffer at the end of
    the PAC can cause an assertion failure in k5_pac_locate_buffer() due
    to an off-by-one error.  Correct the assertion.
    
    [ghudson at mit.edu: edited commit message]
    
    ticket: 9144 (new)
    tags: pullup
    target_version: 1.21-next

 src/lib/krb5/krb/pac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 77adcd272..909196b8d 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -146,7 +146,7 @@ k5_pac_locate_buffer(krb5_context context, const krb5_pac pac, uint32_t type,
     if (buffer == NULL)
         return ENOENT;
 
-    assert(buffer->offset < pac->data.length);
+    assert(buffer->offset <= pac->data.length);
     assert(buffer->size <= pac->data.length - buffer->offset);
 
     if (data_out != NULL)