diff options
author | Greg Hudson <ghudson@mit.edu> | 2016-01-08 12:45:25 -0500 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2016-02-08 17:57:38 -0500 |
commit | 6e84bedf362f1d7f36d850774bbac6f3dee21ecd (patch) | |
tree | 4bd9b1a4ed121444ec8fa2aae460904d35cc2d97 | |
parent | f513d6705809f30ae907059b5a367ac2718a96f6 (diff) | |
download | krb5-6e84bedf362f1d7f36d850774bbac6f3dee21ecd.zip krb5-6e84bedf362f1d7f36d850774bbac6f3dee21ecd.tar.gz krb5-6e84bedf362f1d7f36d850774bbac6f3dee21ecd.tar.bz2 |
Verify decoded kadmin C strings [CVE-2015-8629]
In xdr_nullstring(), check that the decoded string is terminated with
a zero byte and does not contain any internal zero bytes.
CVE-2015-8629:
In all versions of MIT krb5, an authenticated attacker can cause
kadmind to read beyond the end of allocated memory by sending a string
without a terminating zero byte. Information leakage may be possible
for an attacker with permission to modify the database.
CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
(cherry picked from commit df17a1224a3406f57477bcd372c61e04c0e5a5bb)
ticket: 8341
version_fixed: 1.13.4
tags: -pullup
status: resolved
-rw-r--r-- | src/lib/kadm5/kadm_rpc_xdr.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c index 975f94c..6ccfcea 100644 --- a/src/lib/kadm5/kadm_rpc_xdr.c +++ b/src/lib/kadm5/kadm_rpc_xdr.c @@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp) return FALSE; } } - return (xdr_opaque(xdrs, *objp, size)); + if (!xdr_opaque(xdrs, *objp, size)) + return FALSE; + /* Check that the unmarshalled bytes are a C string. */ + if ((*objp)[size - 1] != '\0') + return FALSE; + if (memchr(*objp, '\0', size - 1) != NULL) + return FALSE; + return TRUE; case XDR_ENCODE: if (size != 0) |