[krbdev.mit.edu #8914] Invalid negative record length in keytab file

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[krbdev.mit.edu #8914] Invalid negative record length in keytab file

Greg Hudson via RT

Fri Jun 12 16:32:28 2020: Request 8914 was acted upon.
 Transaction: Ticket created by [hidden email]
       Queue: krb5
     Subject: Invalid negative record length in keytab file
       Owner: Nobody
  Requestors: [hidden email]
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8914 >

I’ve found an unlikely case where keytab record lengths produce unexpected behavior. The following snippet of code, when run in bash, will create a 2GB file called bad.keytab. When this file is read (read_kt) using ktutil, the process will enter an infinite loop:
(echo -ne '\05\02\0200\0\0\010'; dd if=/dev/zero count=21474 bs=100000; dd if=/dev/zero count=1 bs=83640; echo -ne '\0200\0\0\0') >bad.keytab

The reason is the code in krb5_ktfileint_internal_read_entry (kt_file.c:924 in krb5-1.18.2.tar.gz) assumes that the 2s compliment of a negative 32bit integer is always positive. This is not true for (int32_t) 0x80000000.

Given the wording of https://web.mit.edu/kerberos/krb5-1.18/doc/formats/keytab_file_format.html, it’s not clear to me what the expected behavior should be, although an infinite loop is definitely undesirable. I’d be happy to help supply a patch if it’s clear what the expected behavior should be.

Joshua Neuheisel

krb5-bugs mailing list
[hidden email]