krb5 commit: Avoid another null dereference in krb5_rd_cred()
ghudson at mit.edu
ghudson at mit.edu
Thu Jun 11 17:07:09 EDT 2026
https://github.com/krb5/krb5/commit/5031b854ad8ba6cce20cdd8c991f81dbc3f924bd
commit 5031b854ad8ba6cce20cdd8c991f81dbc3f924bd
Author: Rahul Hoysala <rahulhoysala07 at gmail.com>
Date: Thu Jun 4 13:14:45 2026 +0530
Avoid another null dereference in krb5_rd_cred()
In RFC 4120, the ticket client and server principal names are optional
in KrbCredInfo, but we have always required them to be present. Add
checks to prevent null dereferences in krb5_rd_cred() if either name
is not specified.
[ghudson at mit.edu: folded check in with the end-of-list check; rewrote
comment and commit message]
ticket: 9219 (new)
tags: pullup
target_version: 1.22-next
src/lib/krb5/krb/rd_cred.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index c341eba15..80d49fd8b 100644
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -98,8 +98,9 @@ make_cred_list(krb5_context context, krb5_cred *krbcred,
goto cleanup;
info = encpart->ticket_info[i];
- if (info == NULL) {
- /* We unexpectedly reached the end of the encrypted ticket info. */
+ if (info == NULL || info->client == NULL || info->server == NULL) {
+ /* We unexpectedly reached the end of the encrypted ticket info,
+ * or the ticket info is unexpectedly missing a principal name. */
ret = KRB5KRB_AP_ERR_MODIFIED;
goto cleanup;
}
More information about the cvs-krb5
mailing list