Avoid null dereference in krb5_rd_cred()

A malformed KRB-CRED message may have fewer entries in the encrypted
ticket-info list than it has in the tickets list.  In each loop
iteration, check if we unexpectedly reached the end of the ticket-info
list to avoid a null dereference.

[ghudson@mit.edu: added comment; rewrote commit message]

ticket: 9211 (new)
tags: pullup
target_version: 1.22-next

diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index d89a98ae0fdf4bce4c780b6345cb61aa2483176e..c341eba153d3471ca0d97a8959cb83cadc09f28a 100644 (file)
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -98,6 +98,11 @@ make_cred_list(krb5_context context, krb5_cred *krbcred,
             goto cleanup;
 
         info = encpart->ticket_info[i];
+        if (info == NULL) {
+            /* We unexpectedly reached the end of the encrypted ticket info. */
+            ret = KRB5KRB_AP_ERR_MODIFIED;
+            goto cleanup;
+        }
         ret = krb5_copy_principal(context, info->client, &list[i]->client);
         if (ret)
             goto cleanup;