diff options
| author | Greg Hudson <ghudson@mit.edu> | 2016-05-12 16:03:06 -0400 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2016-07-06 15:16:59 -0400 |
| commit | 685cb577890bc565ab122bc65027e177c180e12f (patch) | |
| tree | 0957d168bac89f3decb61efaa5560380e842ba02 | |
| parent | 0bd95632ee32bed42038f1a3c5c07f24741a573a (diff) | |
| download | krb5-685cb577890bc565ab122bc65027e177c180e12f.zip krb5-685cb577890bc565ab122bc65027e177c180e12f.tar.gz krb5-685cb577890bc565ab122bc65027e177c180e12f.tar.bz2 | |
Check princ length in krb5_sname_match()
krb5_sname_match() can read past the end of princ's component array in
some circumstances (typically when a keytab contains both "x" and
"x/y" principals). Add a length check. Reported by Spencer Jackson.
(cherry picked from commit fb9fcfa92fd37221c77e1a4c0b930383e6839e22)
ticket: 8415
version_fixed: 1.13.6
| -rw-r--r-- | src/lib/krb5/krb/sname_match.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/lib/krb5/krb/sname_match.c b/src/lib/krb5/krb/sname_match.c index 0c7bd39..9520dfc 100644 --- a/src/lib/krb5/krb/sname_match.c +++ b/src/lib/krb5/krb/sname_match.c @@ -36,6 +36,9 @@ krb5_sname_match(krb5_context context, krb5_const_principal matching, if (matching->type != KRB5_NT_SRV_HST || matching->length != 2) return krb5_principal_compare(context, matching, princ); + if (princ->length != 2) + return FALSE; + /* Check the realm if present in matching. */ if (matching->realm.length != 0 && !data_eq(matching->realm, princ->realm)) return FALSE; |