krb5 commit: Fix key usage list parsing in PKINIT matching code

ghudson at mit.edu ghudson at mit.edu
Thu Jul 9 22:22:05 EDT 2026


https://github.com/krb5/krb5/commit/53be0c473f8a0bc88e0f0d99544034b04edacb7b
commit 53be0c473f8a0bc88e0f0d99544034b04edacb7b
Author: Greg Hudson <ghudson at mit.edu>
Date:   Sat Jun 20 19:16:50 2026 -0400

    Fix key usage list parsing in PKINIT matching code
    
    pkinit_matching.c:parse_list_value() uses strncasecmp() to compare a
    comma-delimited substring of the configured input rule (value) against
    a string literal (ku->value).  The strncasecmp() call uses the wrong
    bound, so could erroneously match a prefix of ku->value.  When this
    happens, the pointer into the rule is incremented by the full length
    of the string literal (not the matched prefix), possibly advancing
    past the end of the rule and causing a subsequent undefined memory
    read.
    
    Fix this bug by checking the rule substring length against the string
    literal length before comparing.  Reported by Aisle Research (Ze
    Sheng, Dmitrijs Trizna, Luigino Camastra, Guido Vranken).
    
    ticket: 9223

 src/plugins/preauth/pkinit/pkinit_matching.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
index b3c8df161..7e0c287eb 100644
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
@@ -224,7 +224,8 @@ parse_list_value(krb5_context context,
         }
 
         for (; ku->value != NULL; ku++) {
-            if (strncasecmp(value, ku->value, len) == 0) {
+            if (len == ku->length &&
+                strncasecmp(value, ku->value, ku->length) == 0) {
                 *bitptr |= ku->bitval;
                 found = 1;
                 pkiDebug("%s: Found value '%s', bitfield is now 0x%x\n",


More information about the cvs-krb5 mailing list