]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d016822)
Check princ length in krb5_sname_match()
authorGreg Hudson <ghudson@mit.edu>
Thu, 12 May 2016 20:03:06 +0000 (16:03 -0400)
committerGreg Hudson <ghudson@mit.edu>
Thu, 26 May 2016 15:47:22 +0000 (11:47 -0400)
krb5_sname_match() can read past the end of princ's component array in
some circumstances (typically when a keytab contains both "x" and
"x/y" principals).  Add a length check.  Reported by Spencer Jackson.

ticket: 8415
target_version: 1.14-next
target_version: 1.13-next
tags: pullup

src/lib/krb5/krb/sname_match.c patch | blob | blame | history

diff --git a/src/lib/krb5/krb/sname_match.c b/src/lib/krb5/krb/sname_match.c
index 0c7bd39e80bdcc8c2148d85a25b9cc5a496f8903..9520dfc11c2c3b7b97098f7ee2162a711dd364cc 100644 (file)
--- a/src/lib/krb5/krb/sname_match.c
+++ b/src/lib/krb5/krb/sname_match.c
@@ -36,6 +36,9 @@ krb5_sname_match(krb5_context context, krb5_const_principal matching,
     if (matching->type != KRB5_NT_SRV_HST || matching->length != 2)
         return krb5_principal_compare(context, matching, princ);
 
+    if (princ->length != 2)
+        return FALSE;
+
     /* Check the realm if present in matching. */
     if (matching->realm.length != 0 && !data_eq(matching->realm, princ->realm))
         return FALSE;
Mirror of https://github.com/krb5/krb5.git