krb5 commit [krb5-1.21]: Fix potential PAC processing crash
ghudson at mit.edu
ghudson at mit.edu
Mon Aug 4 18:32:11 EDT 2025
https://github.com/krb5/krb5/commit/79b244de8be6902a4af2c78e6619a815a1df8722
commit 79b244de8be6902a4af2c78e6619a815a1df8722
Author: Arjun <pkillarjun at protonmail.com>
Date: Fri Oct 11 08:52:52 2024 +0530
Fix potential PAC processing crash
An input to krb5_pac_parse() with a zero-length buffer at the end of
the PAC can cause an assertion failure in k5_pac_locate_buffer() due
to an off-by-one error. Correct the assertion.
[ghudson at mit.edu: edited commit message]
(cherry picked from commit 331e393c6def46c00b6b54e1b2a0d1080c2af9e0)
ticket: 9144
version_fixed: 1.21.4
src/lib/krb5/krb/pac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 77adcd272..909196b8d 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -146,7 +146,7 @@ k5_pac_locate_buffer(krb5_context context, const krb5_pac pac, uint32_t type,
if (buffer == NULL)
return ENOENT;
- assert(buffer->offset < pac->data.length);
+ assert(buffer->offset <= pac->data.length);
assert(buffer->size <= pac->data.length - buffer->offset);
if (data_out != NULL)
More information about the cvs-krb5
mailing list