krb5 commit: Prevent read overrun in libkdb_ldap

[ghudson at mit.edu]

https://github.com/krb5/krb5/commit/2a5fd83d4436583f2ddc0e193269a4d800ee45c4
commit 2a5fd83d4436583f2ddc0e193269a4d800ee45c4
Author: Sebastián Alba <sebasjosue84 at gmail.com>
Date:   Wed Apr 8 18:32:25 2026 -0400

    Prevent read overrun in libkdb_ldap
    
    In berval2tl_data(), reject inputs of length less than 2 to prevent an
    integer underflow and subsequent read overrun.  (The security impact
    is negligible as the attacker would have to control the KDB LDAP
    server.)
    
    [ghudson at mit.edu: wrote commit message]
    
    ticket: 9206 (new)
    tags: pullup
    target_version: 1.22-next

 src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 418d253d1..9aa68bacd 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -80,6 +80,9 @@ getstringtime(krb5_timestamp);
 krb5_error_code
 berval2tl_data(struct berval *in, krb5_tl_data **out)
 {
+    if (in->bv_len < 2)
+        return EINVAL;
+
     *out = (krb5_tl_data *) malloc (sizeof (krb5_tl_data));
     if (*out == NULL)
         return ENOMEM;