From 331e393c6def46c00b6b54e1b2a0d1080c2af9e0 Mon Sep 17 00:00:00 2001 From: Arjun Date: Fri, 11 Oct 2024 08:52:52 +0530 Subject: [PATCH] Fix potential PAC processing crash An input to krb5_pac_parse() with a zero-length buffer at the end of the PAC can cause an assertion failure in k5_pac_locate_buffer() due to an off-by-one error. Correct the assertion. [ghudson@mit.edu: edited commit message] ticket: 9144 (new) tags: pullup target_version: 1.21-next --- src/lib/krb5/krb/pac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 77adcd2726..909196b8d6 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -146,7 +146,7 @@ k5_pac_locate_buffer(krb5_context context, const krb5_pac pac, uint32_t type, if (buffer == NULL) return ENOENT; - assert(buffer->offset < pac->data.length); + assert(buffer->offset <= pac->data.length); assert(buffer->size <= pac->data.length - buffer->offset); if (data_out != NULL) -- 2.47.2