[krbdev.mit.edu #8914] Invalid negative record length in keytab file
Joshua Neuheisel via RT
rt-comment at krbdev.mit.edu
Fri Jun 12 16:32:29 EDT 2020
Fri Jun 12 16:32:28 2020: Request 8914 was acted upon.
Transaction: Ticket created by jneuheisel at stsci.edu
Queue: krb5
Subject: Invalid negative record length in keytab file
Owner: Nobody
Requestors: jneuheisel at stsci.edu
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8914 >
I’ve found an unlikely case where keytab record lengths produce unexpected behavior. The following snippet of code, when run in bash, will create a 2GB file called bad.keytab. When this file is read (read_kt) using ktutil, the process will enter an infinite loop:
(echo -ne '\05\02\0200\0\0\010'; dd if=/dev/zero count=21474 bs=100000; dd if=/dev/zero count=1 bs=83640; echo -ne '\0200\0\0\0') >bad.keytab
The reason is the code in krb5_ktfileint_internal_read_entry (kt_file.c:924 in krb5-1.18.2.tar.gz) assumes that the 2s compliment of a negative 32bit integer is always positive. This is not true for (int32_t) 0x80000000.
Given the wording of https://web.mit.edu/kerberos/krb5-1.18/doc/formats/keytab_file_format.html, it’s not clear to me what the expected behavior should be, although an infinite loop is definitely undesirable. I’d be happy to help supply a patch if it’s clear what the expected behavior should be.
Thanks,
Joshua Neuheisel
More information about the krb5-bugs
mailing list