diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2012-12-13 14:26:07 -0500 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2013-01-02 18:29:51 -0500 |
commit | db64ca25d661a47b996b4e2645998b5d7f0eb52c (patch) | |
tree | e32c329fdda701b6623ff589ca7f1fa808dc97ca | |
parent | d6a6cd0e84154c782975955784678ebeebfee488 (diff) | |
download | krb5-db64ca25d661a47b996b4e2645998b5d7f0eb52c.zip krb5-db64ca25d661a47b996b4e2645998b5d7f0eb52c.tar.gz krb5-db64ca25d661a47b996b4e2645998b5d7f0eb52c.tar.bz2 |
PKINIT (draft9) null ptr deref [CVE-2012-1016]
Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.
The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process. An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
[tlyu@mit.edu: reformat comment and edit log message]
(back ported from commit cd5ff932c9d1439c961b0cf9ccff979356686aff)
ticket: 7527 (new)
version_fixed: 1.10.4
status: resolved
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_srv.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 3322310..c271bf9 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context context, rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) || (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) { - /* If mutually supported KDFs were found, use the alg agility KDF */ - if (rep->u.dh_Info.kdfID) { - secret.data = server_key; + /* If we're not doing draft 9, and mutually supported KDFs were found, + * use the algorithm agility KDF. */ + if (rep != NULL && rep->u.dh_Info.kdfID) { + secret.data = (char *)server_key; secret.length = server_key_len; retval = pkinit_alg_agility_kdf(context, &secret, |