krb5 commit: Avoid null dereference in krb5_rd_cred()
ghudson at mit.edu
ghudson at mit.edu
Mon May 18 21:25:41 EDT 2026
https://github.com/krb5/krb5/commit/48afa9abb89ab2176bb20624d87d010b9984fc08
commit 48afa9abb89ab2176bb20624d87d010b9984fc08
Author: TristanInSec <tristan.mtn at gmail.com>
Date: Mon May 18 11:57:21 2026 -0400
Avoid null dereference in krb5_rd_cred()
A malformed KRB-CRED message may have fewer entries in the encrypted
ticket-info list than it has in the tickets list. In each loop
iteration, check if we unexpectedly reached the end of the ticket-info
list to avoid a null dereference.
[ghudson at mit.edu: added comment; rewrote commit message]
ticket: 9211 (new)
tags: pullup
target_version: 1.22-next
src/lib/krb5/krb/rd_cred.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index d89a98ae0..c341eba15 100644
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -98,6 +98,11 @@ make_cred_list(krb5_context context, krb5_cred *krbcred,
goto cleanup;
info = encpart->ticket_info[i];
+ if (info == NULL) {
+ /* We unexpectedly reached the end of the encrypted ticket info. */
+ ret = KRB5KRB_AP_ERR_MODIFIED;
+ goto cleanup;
+ }
ret = krb5_copy_principal(context, info->client, &list[i]->client);
if (ret)
goto cleanup;
More information about the cvs-krb5
mailing list