From: Arjun <pkillarjun@protonmail.com>
Date: Fri, 11 Oct 2024 03:22:52 +0000 (+0530)
Subject: Fix potential PAC processing crash
X-Git-Tag: krb5-1.22-beta1~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=331e393c6def46c00b6b54e1b2a0d1080c2af9e0;p=thirdparty%2Fkrb5.git

Fix potential PAC processing crash

An input to krb5_pac_parse() with a zero-length buffer at the end of
the PAC can cause an assertion failure in k5_pac_locate_buffer() due
to an off-by-one error.  Correct the assertion.

[ghudson@mit.edu: edited commit message]

ticket: 9144 (new)
tags: pullup
target_version: 1.21-next
---

diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 77adcd2726..909196b8d6 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -146,7 +146,7 @@ k5_pac_locate_buffer(krb5_context context, const krb5_pac pac, uint32_t type,
     if (buffer == NULL)
         return ENOENT;
 
-    assert(buffer->offset < pac->data.length);
+    assert(buffer->offset <= pac->data.length);
     assert(buffer->size <= pac->data.length - buffer->offset);
 
     if (data_out != NULL)