krb5 commit: Cap decoding GeneralTime when time_t is 32-bit

ghudson at mit.edu ghudson at mit.edu
Mon Mar 23 13:13:45 EDT 2026 

https://github.com/krb5/krb5/commit/7e0e602875075fe541d3ffa65acca2e3b94adcd0
commit 7e0e602875075fe541d3ffa65acca2e3b94adcd0
Author: Michael Osipov <michael.osipov at innomotics.com>
Date:   Wed Feb 25 11:39:20 2026 +0100

    Cap decoding GeneralTime when time_t is 32-bit
    
    In k5_asn1_decode_generaltime(), on platforms with 32-bit time_t only,
    yield the maximum possible timestamp value when the result would
    exceed it.
    
    This change addresses Windows clients and KDCs using timestamps in the
    year 2100 to represent "never".  While it is not in general safe to
    return the wrong value from an ASN.1 decoding function instead of an
    error, 32-bit platforms are increasingly rare, and there no negative
    ramifications are known at this time.
    
    [ghudson at mit.edu: added comment; rewrote commit message]
    
    ticket: 9200 (new)

 src/lib/krb5/asn.1/asn1_encode.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
index 651d213c4..7aebe60db 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -261,6 +261,21 @@ k5_asn1_decode_generaltime(const uint8_t *asn1, size_t len, time_t *time_out)
         if ((uint8_t)c2i(s[i]) > 9)
             return ASN1_BAD_TIMEFORMAT;
     }
+#if SIZEOF_TIME_T == 4
+    /*
+     * Microsoft clients and KDCs use timestamps in 2100 to indicate "never",
+     * both in AS-REQ till values and in AS-REP LastReq values.  On 32-bit
+     * platforms we cannot represent these timestamps in a time_t result.
+     * Clamping the result as we do here is not safe (it could cause issues if
+     * we ever need to re-encode an ASN.1 value containing a timestamp), but it
+     * does solve the interoperability issues caused by these specific uses of
+     * large timestamp values.
+     */
+    if (memcmp(s, "20380119031407Z", 15) > 0) {
+        *time_out = (time_t)INT32_MAX;
+        return 0;
+    }
+#endif
     ts.tm_year = 1000 * c2i(s[0]) + 100 * c2i(s[1]) + 10 * c2i(s[2]) +
         c2i(s[3]) - 1900;
     ts.tm_mon = 10 * c2i(s[4]) + c2i(s[5]) - 1;

More information about the cvs-krb5 mailing list