From: Sebastián Alba <sebasjosue84@gmail.com>
Date: Wed, 8 Apr 2026 22:32:25 +0000 (-0400)
Subject: Prevent read overrun in libkdb_ldap
X-Git-Url: http://git.ipfire.org/index.cgi?a=commitdiff_plain;h=HEAD;p=thirdparty%2Fkrb5.git

Prevent read overrun in libkdb_ldap

In berval2tl_data(), reject inputs of length less than 2 to prevent an
integer underflow and subsequent read overrun.  (The security impact
is negligible as the attacker would have to control the KDB LDAP
server.)

[ghudson@mit.edu: wrote commit message]

ticket: 9206 (new)
tags: pullup
target_version: 1.22-next
---

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 418d253d17..9aa68bacd7 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -80,6 +80,9 @@ getstringtime(krb5_timestamp);
 krb5_error_code
 berval2tl_data(struct berval *in, krb5_tl_data **out)
 {
+    if (in->bv_len < 2)
+        return EINVAL;
+
     *out = (krb5_tl_data *) malloc (sizeof (krb5_tl_data));
     if (*out == NULL)
         return ENOMEM;