diff options
| author | Tom Yu <tlyu@mit.edu> | 2010-02-16 22:21:08 +0000 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2010-02-16 22:21:08 +0000 |
| commit | 2124696b44e8812548a161905bce2e80f146b90c (patch) | |
| tree | 6616e076b30a5bc1f6dd57a3a170128abbce897d | |
| parent | 11199521554dc4a0d75a36d001900cbeb78652cf (diff) | |
| download | krb5-2124696b44e8812548a161905bce2e80f146b90c.zip krb5-2124696b44e8812548a161905bce2e80f146b90c.tar.gz krb5-2124696b44e8812548a161905bce2e80f146b90c.tar.bz2 | |
pull up r23724 from trunk
------------------------------------------------------------------------
r23724 | tlyu | 2010-02-16 17:10:17 -0500 (Tue, 16 Feb 2010) | 10 lines
ticket: 6662
subject: MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
tags: pullup
target_version: 1.8
Code introduced in krb5-1.7 can cause an assertion failure if a
KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO
C3 Agency) for discovering and reporting this vulnerability.
ticket: 6662
version_fixed: 1.8
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-8@23725 dc483132-0cff-0310-8789-dd5450dbe970
| -rw-r--r-- | src/kdc/do_as_req.c | 5 | ||||
| -rw-r--r-- | src/kdc/do_tgs_req.c | 2 | ||||
| -rw-r--r-- | src/kdc/fast_util.c | 2 |
3 files changed, 8 insertions, 1 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index b183dcf..3924297 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -139,6 +139,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, session_key.contents = 0; enc_tkt_reply.authorization_data = NULL; + if (request->msg_type != KRB5_AS_REQ) { + status = "msg_type mismatch"; + errcode = KRB5_BADMSGTYPE; + goto errout; + } errcode = kdc_make_rstate(&state); if (errcode != 0) { status = "constructing state"; diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index cb0496f..44b5791 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -143,6 +143,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, retval = decode_krb5_tgs_req(pkt, &request); if (retval) return retval; + if (request->msg_type != KRB5_TGS_REQ) + return KRB5_BADMSGTYPE; /* * setup_server_realm() sets up the global realm-specific data pointer. diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 06b1e2b..e411e32 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -384,7 +384,7 @@ kdc_fast_handle_error(krb5_context context, krb5_data *encoded_e_data = NULL; memset(outer_pa, 0, sizeof(outer_pa)); - if (!state->armor_key) + if (!state || !state->armor_key) return 0; fx_error = *err; fx_error.e_data.data = NULL; |