From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 10 Apr 2025 00:19:02 +0000 (-0400)
Subject: Check lengths in xdr_krb5_key_data()
X-Git-Tag: krb5-1.22-beta1~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e195747d2f8a8e1cd1694d768dba9265439228d0;p=thirdparty%2Fkrb5.git

Check lengths in xdr_krb5_key_data()

Ensure that xdr_krb5_key_data() does not produce an inconsistent
representation if the serialized key_data_contents fields do not match
the corresponding byte array lengths.  (This function is only used by
libkadm5srv to serialize historical key data in per-principal kadmin
data.)

ticket: 9172 (new)
---

diff --git a/src/lib/kadm5/srv/adb_xdr.c b/src/lib/kadm5/srv/adb_xdr.c
index b6ffdb8c7a..b14cb96eed 100644
--- a/src/lib/kadm5/srv/adb_xdr.c
+++ b/src/lib/kadm5/srv/adb_xdr.c
@@ -36,11 +36,15 @@ xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp)
     if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[0],
 		   &tmp, ~0))
 	return FALSE;
+    if (tmp != objp->key_data_length[0])
+	return FALSE;
 
     tmp = (unsigned int) objp->key_data_length[1];
     if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[1],
 		   &tmp, ~0))
 	return FALSE;
+    if (tmp != objp->key_data_length[1])
+	return FALSE;
 
     /* don't need to copy tmp out, since key_data_length will be set
        by the above encoding. */