krb5 commit: Fix key usage list parsing in PKINIT matching code
ghudson at mit.edu
ghudson at mit.edu
Thu Jul 9 22:22:05 EDT 2026
https://github.com/krb5/krb5/commit/53be0c473f8a0bc88e0f0d99544034b04edacb7b
commit 53be0c473f8a0bc88e0f0d99544034b04edacb7b
Author: Greg Hudson <ghudson at mit.edu>
Date: Sat Jun 20 19:16:50 2026 -0400
Fix key usage list parsing in PKINIT matching code
pkinit_matching.c:parse_list_value() uses strncasecmp() to compare a
comma-delimited substring of the configured input rule (value) against
a string literal (ku->value). The strncasecmp() call uses the wrong
bound, so could erroneously match a prefix of ku->value. When this
happens, the pointer into the rule is incremented by the full length
of the string literal (not the matched prefix), possibly advancing
past the end of the rule and causing a subsequent undefined memory
read.
Fix this bug by checking the rule substring length against the string
literal length before comparing. Reported by Aisle Research (Ze
Sheng, Dmitrijs Trizna, Luigino Camastra, Guido Vranken).
ticket: 9223
src/plugins/preauth/pkinit/pkinit_matching.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c
index b3c8df161..7e0c287eb 100644
--- a/src/plugins/preauth/pkinit/pkinit_matching.c
+++ b/src/plugins/preauth/pkinit/pkinit_matching.c
@@ -224,7 +224,8 @@ parse_list_value(krb5_context context,
}
for (; ku->value != NULL; ku++) {
- if (strncasecmp(value, ku->value, len) == 0) {
+ if (len == ku->length &&
+ strncasecmp(value, ku->value, ku->length) == 0) {
*bitptr |= ku->bitval;
found = 1;
pkiDebug("%s: Found value '%s', bitfield is now 0x%x\n",
More information about the cvs-krb5
mailing list