diff options
| author | Tom Yu <tlyu@mit.edu> | 2012-07-31 23:20:30 -0400 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2012-08-01 13:56:33 -0400 |
| commit | dee054247300c1ae955dfadf237f4073817d98d6 (patch) | |
| tree | 090163d7da21e4f433d4b9f2aa1ed3e1a98a9f5a | |
| parent | 8e368382a3029075adc373a1338efed285dca215 (diff) | |
| download | krb5-dee054247300c1ae955dfadf237f4073817d98d6.zip krb5-dee054247300c1ae955dfadf237f4073817d98d6.tar.gz krb5-dee054247300c1ae955dfadf237f4073817d98d6.tar.bz2 | |
Fix KDC uninit ptrs [CVE-2012-1014 CVE-2012-1015]
Fix KDC heap corruption and crash vulnerabilities [MITKRB5-SA-2012-001
CVE-2012-1014 CVE-2012-1015].
CVE-2012-1015: The cleanup code in kdc_handle_protected_negotiation()
in kdc_util.c could free an uninitialized pointer in some error
conditions involving "similar" enctypes and a failure in
krb5_c_make_checksum(). Initialize the pointer correctly.
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of
CVE-2012-1015 (possibly in unpatched KDCs).
CVE-2012-1014: process_as_req() could encounter an error condition
(typically a malformed AS-REQ message) that could cause its cleanup
code to dereference an uninitialized pointer, causing a crash.
Initialize the pointer correctly.
ticket: 7226 (new)
version_fixed: 1.10.3
status: resolved
| -rw-r--r-- | src/kdc/do_as_req.c | 3 | ||||
| -rw-r--r-- | src/kdc/kdc_preauth.c | 3 | ||||
| -rw-r--r-- | src/kdc/kdc_util.c | 1 | ||||
| -rw-r--r-- | src/lib/kdb/kdb_default.c | 3 |
4 files changed, 8 insertions, 2 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index 23623fe..8ada9d0 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -463,7 +463,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, krb5_enctype useenctype; struct as_req_state *state; - state = malloc(sizeof(*state)); + state = calloc(sizeof(*state), 1); if (!state) { (*respond)(arg, ENOMEM, NULL); return; @@ -486,6 +486,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->authtime = 0; state->c_flags = 0; state->req_pkt = req_pkt; + state->inner_body = NULL; state->rstate = NULL; state->sname = 0; state->cname = 0; diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 9d8cb34..d4ece3f 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -1438,7 +1438,8 @@ etype_info_helper(krb5_context context, krb5_kdc_req *request, continue; } - if (request_contains_enctype(context, request, db_etype)) { + if (krb5_is_permitted_enctype(context, db_etype) && + request_contains_enctype(context, request, db_etype)) { retval = _make_etype_info_entry(context, client->princ, client_key, db_etype, &entry[i], etype_info2); diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index a43b291..94dad3a 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2461,6 +2461,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request, return 0; pa.magic = KV5M_PA_DATA; pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; + memset(&checksum, 0, sizeof(checksum)); retval = krb5_c_make_checksum(kdc_context,0, reply_key, KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); if (retval != 0) diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index c4bf92e..367c894 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -61,6 +61,9 @@ krb5_dbe_def_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap) krb5_boolean saw_non_permitted = FALSE; ret = 0; + if (ktype != -1 && !krb5_is_permitted_enctype(kcontext, ktype)) + return KRB5_KDB_NO_PERMITTED_KEY; + if (kvno == -1 && stype == -1 && ktype == -1) kvno = 0; |