From 4c7b8616e9d38672075c5942994469841b7d32b8 Mon Sep 17 00:00:00 2001
From: hwipl <33433250+hwipl@users.noreply.github.com>
Date: Wed, 5 Jul 2023 16:07:22 +0200
Subject: [PATCH] Check CCache file length in LoadCCache()

Check the file length of the credentials cache file in LoadCCache() to
avoid a panic when parsing a short ccache file, e.g., an empty file.

Signed-off-by: hwipl <33433250+hwipl@users.noreply.github.com>
---
 v8/credentials/ccache.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/v8/credentials/ccache.go b/v8/credentials/ccache.go
index a021e414..6ea97d8c 100644
--- a/v8/credentials/ccache.go
+++ b/v8/credentials/ccache.go
@@ -15,6 +15,13 @@ import (
 
 const (
 	headerFieldTagKDCOffset = 1
+
+	// minimumCCacheFileLength is the minimum length of the credential
+	// cache file in bytes. This is a rough estimate of a minimum ccache
+	// file that contains: the version indicator (2 bytes), no header,
+	// minimum default principal (8 bytes), no credentials. See:
+	// https://web.mit.edu/kerberos/krb5-latest/doc/formats/ccache_file_format.html
+	minimumCCacheFileLength = 10
 )
 
 // CCache is the file credentials cache as define here: https://web.mit.edu/kerberos/krb5-latest/doc/formats/ccache_file_format.html
@@ -67,6 +74,9 @@ func LoadCCache(cpath string) (*CCache, error) {
 	if err != nil {
 		return c, err
 	}
+	if len(b) < minimumCCacheFileLength {
+		return c, errors.New("Invalid credential cache file length: file is too short")
+	}
 	err = c.Unmarshal(b)
 	return c, err
 }