diff options
author | Andreas Schneider <asn@samba.org> | 2023-08-04 09:54:06 +0200 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2023-08-07 14:38:21 -0400 |
commit | 88a1701b423c13991a8064feeb26952d3641d840 (patch) | |
tree | 1db91d902617e2f691d84c14f76c118fe5548ea0 | |
parent | 0ceab6c363e65fb21d3312a663f2b9b569ecc415 (diff) | |
download | krb5-88a1701b423c13991a8064feeb26952d3641d840.zip krb5-88a1701b423c13991a8064feeb26952d3641d840.tar.gz krb5-88a1701b423c13991a8064feeb26952d3641d840.tar.bz2 |
Fix double-free in KDC TGS processing
When issuing a ticket for a TGS renew or validate request, copy only
the server field from the outer part of the header ticket to the new
ticket. Copying the whole structure causes the enc_part pointer to be
aliased to the header ticket until krb5_encrypt_tkt_part() is called,
resulting in a double-free if handle_authdata() fails.
[ghudson@mit.edu: changed the fix to avoid aliasing enc_part rather
than check for aliasing before freeing; rewrote commit message]
CVE-2023-39975:
In MIT krb5 release 1.21, an authenticated attacker can cause a KDC to
free the same pointer twice if it can induce a failure in
authorization data handling.
ticket: 9101 (new)
tags: pullup
target_version: 1.21-next
-rw-r--r-- | src/kdc/do_tgs_req.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 6e4c8fa..0acc458 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1010,8 +1010,9 @@ tgs_issue_ticket(kdc_realm_t *realm, struct tgs_req_info *t, } if (t->req->kdc_options & (KDC_OPT_VALIDATE | KDC_OPT_RENEW)) { - /* Copy the whole header ticket except for authorization data. */ - ticket_reply = *t->header_tkt; + /* Copy the header ticket server and all enc-part fields except for + * authorization data. */ + ticket_reply.server = t->header_tkt->server; enc_tkt_reply = *t->header_tkt->enc_part2; enc_tkt_reply.authorization_data = NULL; } else { |