diff options
| author | Greg Hudson <ghudson@mit.edu> | 2016-07-19 11:00:28 -0400 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2016-07-21 15:05:33 -0400 |
| commit | cce19103f7673edb54b1b8e5fa0a516bd009d2c3 (patch) | |
| tree | 0c502fafb7f178362d96188a7361d34ee294d412 | |
| parent | c1804f6b7674e7d18847ac11aa02b8b33ea93a6a (diff) | |
| download | krb5-cce19103f7673edb54b1b8e5fa0a516bd009d2c3.zip krb5-cce19103f7673edb54b1b8e5fa0a516bd009d2c3.tar.gz krb5-cce19103f7673edb54b1b8e5fa0a516bd009d2c3.tar.bz2 | |
Fix S4U2Self KDC crash when anon is restricted
In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.
CVE-2016-3120:
In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C
(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)
[tlyu@mit.edu: removed test case depending on absent functionality]
ticket: 8458
version_fixed: 1.13.6
| -rw-r--r-- | src/kdc/kdc_util.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 48be1ae..10daec4 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, return(KDC_ERR_MUST_USE_USER2USER); } - if (check_anon(kdc_active_realm, request->client, request->server) != 0) { + if (check_anon(kdc_active_realm, client.princ, request->server) != 0) { *status = "ANONYMOUS NOT ALLOWED"; return(KDC_ERR_POLICY); } |