[krbdev.mit.edu #8914] Invalid negative record length in keytab file
Greg Hudson via RT
rt at krbdev.mit.edu
Fri Jun 12 18:38:34 EDT 2020
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8914 >
There are two reasonable ways to react to a length value of -2^31: throw an
error because the size of the purported hole is absurdly large, or skip forward
2^31 bytes. (The value is absurd because an entry is only a little bit longer
than the marshalled principal name, and a principal name shouldn't marshal to
anywhere near 2^31 bytes.)
To throw an error we can simply add a comparison to INT32_MIN.
Handling the value as stated would require more work. If we could assume that
long is 64 bits, it would be fairly easy; we'd just have to adjust the
marshalling code so that the variable size is of type long instead of int32_t.
But we can't assume that long is 64 bits, even in the steady state (long is
still 32 bits on 64-bit Windows), so we'd have to abandon stdio and use POSIX
I/O. That almost certainly isn't worth it.
More information about the krb5-bugs
mailing list