Subject: | Potential integer overflows |
Date: | Tue, 27 Jul 2021 20:35:32 +0900 |
From: | "Kihong Heo" <kihong.heo@gmail.com> |
CC: | "강우석" <kangwoosukeq@kaist.ac.kr> |
To: | krb5-bugs@mit.edu |
Dear Kerberos developers,
3. src/kadmin/dbutil/dump.c:685: Call to calloc with the large integer can cause a memory allocation with an overflowed integer
It seems that there exist several potential integer overflows that can lead buffer overflows. Please find the following description:
In the latest version of Kerberos (1.19.2),
1. src/kadmin/dbutil/dump.c:660: fscanf reads arbitrarily large integers into u1, u2, …
2. src/kadmin/dbutil/dump.c:671: Call to malloc with the large integer added by one can return a non-null yet invalid address according to the standard.
Best,
Kihong