diff options
| author | Greg Hudson <ghudson@mit.edu> | 2014-12-29 13:27:42 -0500 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2015-02-06 18:34:55 -0500 |
| commit | 9f6758ce9d1462ca94882e0e85e2a1d48cd32b0e (patch) | |
| tree | 72dd71f3256beb0e0063bf586944ad3026f1b948 | |
| parent | 0515f9e7b1d044f68e978f7192cd1e0fc4f5790f (diff) | |
| download | krb5-9f6758ce9d1462ca94882e0e85e2a1d48cd32b0e.zip krb5-9f6758ce9d1462ca94882e0e85e2a1d48cd32b0e.tar.gz krb5-9f6758ce9d1462ca94882e0e85e2a1d48cd32b0e.tar.bz2 | |
Fix kadmind server validation [CVE-2014-9422]
[MITKRB5-SA-2015-001] In kadmind's check_rpcsec_auth(), use
data_eq_string() instead of strncmp() to check components of the
server principal, so that we don't erroneously match left substrings
of "kadmin", "history", or the realm.
(cherry picked from commit 6609658db0799053fbef0d7d0aa2f1fd68ef32d8)
ticket: 8075 (new)
version_fixed: 1.11.6
status: resolved
| -rw-r--r-- | src/kadmin/server/kadm_rpc_svc.c | 12 |
1 files changed, 3 insertions, 9 deletions
diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index a75bdb8..f2d270b 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -4,7 +4,7 @@ * */ -#include <k5-platform.h> +#include <k5-int.h> #include <gssrpc/rpc.h> #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */ #include <syslog.h> @@ -301,14 +301,8 @@ check_rpcsec_auth(struct svc_req *rqstp) c1 = krb5_princ_component(kctx, princ, 0); c2 = krb5_princ_component(kctx, princ, 1); realm = krb5_princ_realm(kctx, princ); - if (strncmp(handle->params.realm, realm->data, realm->length) == 0 - && strncmp("kadmin", c1->data, c1->length) == 0) { - - if (strncmp("history", c2->data, c2->length) == 0) - goto fail_princ; - else - success = 1; - } + success = data_eq_string(*realm, handle->params.realm) && + data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history"); fail_princ: if (!success) { |