]> git.ipfire.org Git - thirdparty/krb5.git/commit
projects / thirdparty / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fb9cf8c) | patch
Fix null deref in KDC when decoding invalid NDR
authorGreg Hudson <ghudson@mit.edu>
Wed, 12 Oct 2022 04:46:52 +0000 (00:46 -0400)
committerGreg Hudson <ghudson@mit.edu>
Thu, 3 Nov 2022 04:58:50 +0000 (00:58 -0400)
commitfa62bd33a0c0889c083999c0289ffa81a5d51e7b
tree033d559e1c1e396c000699b4593978fe2cae7afbtree
parentfb9cf8cfbf8da0d160cb61250b952f2b8e5484f4commit | diff
Fix null deref in KDC when decoding invalid NDR

In ndr_dec_delegation_info(), keep di->transited_services_length valid
by incrementing it as we add entries.  Otherwise
ndr_free_delegation_info() could dereference a null
di->transited_services field.  Also bound nservices using data->length
to prevent inordinately large memory allocations.  Credit to OSS-Fuzz
for discovering the issues.

ticket: 9073 (new)
tags: pullup
target_version: 1.20-next
src/kdc/ndr.c diff | blob | blame | history
src/kdc/t_ndr.c diff | blob | blame | history
Mirror of https://github.com/krb5/krb5.git