diff options
author | Xi Wang <xi.wang@gmail.com> | 2013-02-14 18:17:40 -0500 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2013-02-22 17:10:56 -0500 |
commit | dfa3dbb2f5c6d7d32d97c179f6c34e0dbb554111 (patch) | |
tree | 5ea6c0b223dacedbfdd944fa6e0a23d8a48d407f /src | |
parent | 6abd90b73b1f8abae9fcf42e89758348a40d1dc1 (diff) | |
download | krb5-dfa3dbb2f5c6d7d32d97c179f6c34e0dbb554111.zip krb5-dfa3dbb2f5c6d7d32d97c179f6c34e0dbb554111.tar.gz krb5-dfa3dbb2f5c6d7d32d97c179f6c34e0dbb554111.tar.bz2 |
PKINIT null pointer deref [CVE-2013-1415]
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
This is a minimal commit for pullup; style fixes in a followup.
[kaduk@mit.edu: reformat and edit commit message]
(cherry picked from commit c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed)
ticket: 7577 (new)
version_fixed: 1.10.4
status: resolved
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 41847a1..7021ff6 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -3249,7 +3249,7 @@ pkinit_check_kdc_pkid(krb5_context context, pkiDebug("found kdcPkId in AS REQ\n"); is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len); if (is == NULL) - goto cleanup; + return retval; status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer); if (!status) { @@ -3259,7 +3259,6 @@ pkinit_check_kdc_pkid(krb5_context context, } retval = 0; -cleanup: X509_NAME_free(is->issuer); ASN1_INTEGER_free(is->serial); free(is); |