[krbdev.mit.edu #9022] Potential integer overflows
Kihong Heo via RT
rt-comment at kerborg-prod-app-1.mit.edu
Mon Aug 2 23:07:37 EDT 2021
Mon Aug 02 23:07:36 2021: Request 9022 was acted upon.
Transaction: Ticket created by kihong.heo at gmail.com
Queue: krb5
Subject: Potential integer overflows
Owner: Nobody
Requestors: kihong.heo at gmail.com
Status: new
Ticket <URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9022 >
Dear Kerberos developers,
It seems that there exist several potential integer overflows that can lead buffer overflows. Please find the following description:
In the latest version of Kerberos (1.19.2),
1. src/kadmin/dbutil/dump.c:660: fscanf reads arbitrarily large integers into u1, u2, …
2. src/kadmin/dbutil/dump.c:671: Call to malloc with the large integer added by one can return a non-null yet invalid address according to the standard.
3. src/kadmin/dbutil/dump.c:685: Call to calloc with the large integer can cause a memory allocation with an overflowed integer
Best,
Kihong
More information about the krb5-bugs
mailing list