From: Bogdan Boguslavskij <bogdanb@altlinux.org>
Date: Wed, 20 May 2026 14:07:20 +0000 (+0300)
Subject: Fix DB2 hash bitmap page count validation
X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fkrb5.git

Fix DB2 hash bitmap page count validation

In __kdb2_hash_open(), bpages is computed from the hash file header
and then used as the size argument when clearing hashp->mapp.  The
mapp array has only NCACHED entries, so a malformed hash database can
cause memset() to write past the end of the array.  Return EFTYPE if
the computed bitmap page count is negative or greater then NCACHED.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

ticket: 9215
---

diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c
index 7c3e951aa2..f90aae0f9a 100644
--- a/src/plugins/kdb/db2/libdb2/hash/hash.c
+++ b/src/plugins/kdb/db2/libdb2/hash/hash.c
@@ -170,6 +170,9 @@ __kdb2_hash_open(const char *file, int flags, int mode, const HASHINFO *info,
 		    (hashp->hdr.bsize << BYTE_SHIFT) - 1) >>
 		    (hashp->hdr.bshift + BYTE_SHIFT);
 
+		if (bpages > NCACHED || bpages < 0)
+			RETURN_ERROR(EFTYPE, error1);
+
 		hashp->nmaps = bpages;
 		(void)memset(&hashp->mapp[0], 0, bpages * sizeof(u_int32_t *));
 	}