aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGreg Hudson <ghudson@mit.edu>2016-01-08 12:45:25 -0500
committerTom Yu <tlyu@mit.edu>2016-02-08 17:57:38 -0500
commit6e84bedf362f1d7f36d850774bbac6f3dee21ecd (patch)
tree4bd9b1a4ed121444ec8fa2aae460904d35cc2d97
parentf513d6705809f30ae907059b5a367ac2718a96f6 (diff)
downloadkrb5-6e84bedf362f1d7f36d850774bbac6f3dee21ecd.zip
krb5-6e84bedf362f1d7f36d850774bbac6f3dee21ecd.tar.gz
krb5-6e84bedf362f1d7f36d850774bbac6f3dee21ecd.tar.bz2
Verify decoded kadmin C strings [CVE-2015-8629]
In xdr_nullstring(), check that the decoded string is terminated with a zero byte and does not contain any internal zero bytes. CVE-2015-8629: In all versions of MIT krb5, an authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database. CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C (cherry picked from commit df17a1224a3406f57477bcd372c61e04c0e5a5bb) ticket: 8341 version_fixed: 1.13.4 tags: -pullup status: resolved
Diffstat
-rw-r--r--src/lib/kadm5/kadm_rpc_xdr.c9
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 975f94c..6ccfcea 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
return FALSE;
}
}
- return (xdr_opaque(xdrs, *objp, size));
+ if (!xdr_opaque(xdrs, *objp, size))
+ return FALSE;
+ /* Check that the unmarshalled bytes are a C string. */
+ if ((*objp)[size - 1] != '\0')
+ return FALSE;
+ if (memchr(*objp, '\0', size - 1) != NULL)
+ return FALSE;
+ return TRUE;
case XDR_ENCODE:
if (size != 0)
generated by cgit v1.1 at 2024-07-16 13:12:26 +0000