krb5 commit [krb5-1.22]: Prevent read overrun in libkdb_ldap
ghudson at mit.edu
ghudson at mit.edu
Thu Apr 23 18:25:51 EDT 2026
https://github.com/krb5/krb5/commit/974a8875767a2f375669f84b176c7d98a7c85a20
commit 974a8875767a2f375669f84b176c7d98a7c85a20
Author: Sebastián Alba <sebasjosue84 at gmail.com>
Date: Wed Apr 8 18:32:25 2026 -0400
Prevent read overrun in libkdb_ldap
In berval2tl_data(), reject inputs of length less than 2 to prevent an
integer underflow and subsequent read overrun. (The security impact
is negligible as the attacker would have to control the KDB LDAP
server.)
[ghudson at mit.edu: wrote commit message]
(cherry picked from commit 2a5fd83d4436583f2ddc0e193269a4d800ee45c4)
ticket: 9206
version_fixed: 1.22.3
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ae4e03f8c..525e8d027 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -80,6 +80,9 @@ getstringtime(krb5_timestamp);
krb5_error_code
berval2tl_data(struct berval *in, krb5_tl_data **out)
{
+ if (in->bv_len < 2)
+ return EINVAL;
+
*out = (krb5_tl_data *) malloc (sizeof (krb5_tl_data));
if (*out == NULL)
return ENOMEM;
More information about the cvs-krb5
mailing list