From: Joshua Neuheisel <jneuheisel@stsci.edu>
Date: Fri, 3 Jul 2020 15:29:26 +0000 (-0400)
Subject: Avoid backward seeks when reading keytab files
X-Git-Tag: krb5-1.19-beta1~55
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=99f7ad2831a01f264c07eed42a0a3a9336b86184;p=thirdparty%2Fkrb5.git

Avoid backward seeks when reading keytab files

When considering or bypassing an empty record in a keytab file, check
for a lenth of INT32_MIN.  Otherwise we could perform a backwards
seek, as the inverse of INT32_MIN is still negative.

[ghudson@mit.edu: adjusted comments; wrote commit message]

ticket: 8914
---

diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c
index 80db1179d1..e510211fc5 100644
--- a/src/lib/krb5/keytab/kt_file.c
+++ b/src/lib/krb5/keytab/kt_file.c
@@ -921,6 +921,8 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke
             size = ntohl(size);
 
         if (size < 0) {
+            if (size == INT32_MIN)  /* INT32_MIN inverts to itself. */
+                return KRB5_KT_FORMAT;
             if (fseek(KTFILEP(id), -size, SEEK_CUR)) {
                 return errno;
             }
@@ -1347,6 +1349,8 @@ krb5_ktfileint_find_slot(krb5_context context, krb5_keytab id, krb5_int32 *size_
                 return errno;
         } else if (size < 0) {
             /* Empty record; use if it's big enough, seek past otherwise. */
+            if (size == INT32_MIN)  /* INT32_MIN inverts to itself. */
+                return KRB5_KT_FORMAT;
             size = -size;
             if (size >= *size_needed) {
                 *size_needed = size;
diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
index 633f7c7ef8..850375c921 100755
--- a/src/tests/t_keytab.py
+++ b/src/tests/t_keytab.py
@@ -185,5 +185,12 @@ test_addent(realm, 'default', '-f -e aes128-cts')
 test_addent(realm, 'exp', '-f')
 test_addent(realm, 'pexp', '-f')
 
-success('Keytab-related tests')
+# Regression test for #8914: INT32_MIN length can cause backwards seek
+mark('invalid record length')
+f = open(realm.keytab, 'wb')
+f.write(b'\x05\x02\x80\x00\x00\x00')
+f.close()
+msg = 'Bad format in keytab while scanning keytab'
+realm.run([klist, '-k'], expected_code=1, expected_msg=msg)
+
 success('Keytab-related tests')