diff options
author | Tom Yu <tlyu@mit.edu> | 2013-03-29 19:27:33 -0400 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2013-04-02 14:44:29 -0400 |
commit | 8ee70ec63931d1e38567905387ab9b1d45734d81 (patch) | |
tree | 7912ed430339e600c679ff7859a7d207db1b540b /src/kdc/do_tgs_req.c | |
parent | 2fef06bf57bf317c72d6c91d332935b6fc2e98e5 (diff) | |
download | krb5-8ee70ec63931d1e38567905387ab9b1d45734d81.zip krb5-8ee70ec63931d1e38567905387ab9b1d45734d81.tar.gz krb5-8ee70ec63931d1e38567905387ab9b1d45734d81.tar.bz2 |
KDC TGS-REQ null deref [CVE-2013-1416]
By sending an unusual but valid TGS-REQ, an authenticated remote
attacker can cause the KDC process to crash by dereferencing a null
pointer.
prep_reprocess_req() can cause a null pointer dereference when
processing a service principal name. Code in this function can
inappropriately pass a null pointer to strlcpy(). Unmodified client
software can trivially trigger this vulnerability, but the attacker
must have already authenticated and received a valid Kerberos ticket.
The vulnerable code was introduced by the implementation of new
service principal realm referral functionality in krb5-1.7, but was
corrected as a side effect of the KDC refactoring in krb5-1.11.
CVSSv2 vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C
ticket: 7600 (new)
version_fixed: 1.10.5
status: resolved
Diffstat (limited to 'src/kdc/do_tgs_req.c')
-rw-r--r-- | src/kdc/do_tgs_req.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 9ff80cf..86496e9 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1141,7 +1141,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) retval = ENOMEM; goto cleanup; } - strlcpy(comp1_str,comp1->data,comp1->length+1); + if (comp1->data != NULL) + memcpy(comp1_str, comp1->data, comp1->length); if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST || @@ -1164,7 +1165,8 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) retval = ENOMEM; goto cleanup; } - strlcpy(temp_buf, comp2->data,comp2->length+1); + if (comp2->data != NULL) + memcpy(temp_buf, comp2->data, comp2->length); retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms); free(temp_buf); if (retval) { |