Fedora Account System
Red Hat Associate
Red Hat Customer
Two related off-by-one memory safety bugs in the FreeIPA ipa-otpd daemon, in oauth2_on_child_readable() (daemons/ipa-otpd/oauth2.c). Confirmed by reporter with AddressSanitizer on minimal reproducers. Verified against upstream master (2026-07-03): vulnerable code still present. Bug #1 — Out-of-bounds write (CWE-787), oauth2.c ~line 282 static char buf[10240]; io = read(verto_get_fd(ev), buf, 10240); if (io >= 0) { buf[io] = '\0'; // OOB when io == 10240 } Bug #2 — Out-of-bounds read (CWE-125), oauth2.c ~line 305 rad_reply = memchr(buf, '\n', io); if (rad_reply != NULL) { *rad_reply = '\0'; rad_reply++; end = memchr(rad_reply, '\n', io - (rad_reply - 1 - buf)); // off by 1 } Prerequisites: 1. FreeIPA configured with external IdP (ipa idp-add) 2. Attacker controls IdP endpoint or can MITM IdP traffic 3. A domain user initiates OAuth2 device authorization (kinit / IdP-backed account) Requirements to exploit: No FreeIPA admin credentials required on attacker side. Attacker operates at the IdP layer. User interaction required to start the OAuth2 device flow. Exploitation preconditions are non-trivial (IdP control/MITM + configured IdP).