From e195747d2f8a8e1cd1694d768dba9265439228d0 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 9 Apr 2025 20:19:02 -0400
Subject: [PATCH] Check lengths in xdr_krb5_key_data()

Ensure that xdr_krb5_key_data() does not produce an inconsistent
representation if the serialized key_data_contents fields do not match
the corresponding byte array lengths.  (This function is only used by
libkadm5srv to serialize historical key data in per-principal kadmin
data.)

ticket: 9172 (new)
---
 src/lib/kadm5/srv/adb_xdr.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lib/kadm5/srv/adb_xdr.c b/src/lib/kadm5/srv/adb_xdr.c
index b6ffdb8c7a..b14cb96eed 100644
--- a/src/lib/kadm5/srv/adb_xdr.c
+++ b/src/lib/kadm5/srv/adb_xdr.c
@@ -36,11 +36,15 @@ xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp)
     if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[0],
 		   &tmp, ~0))
 	return FALSE;
+    if (tmp != objp->key_data_length[0])
+	return FALSE;
 
     tmp = (unsigned int) objp->key_data_length[1];
     if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[1],
 		   &tmp, ~0))
 	return FALSE;
+    if (tmp != objp->key_data_length[1])
+	return FALSE;
 
     /* don't need to copy tmp out, since key_data_length will be set
        by the above encoding. */
-- 
2.47.2