git.ipfire.org Git - thirdparty/krb5.git/commit

author	Robbie Harwood <rharwood@redhat.com>
	Fri, 20 Apr 2018 20:16:02 +0000 (16:16 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Mon, 23 Apr 2018 23:32:59 +0000 (19:32 -0400)
commit	6afa8b4abf8f7c5774d03e6b15ee7288ad68d725
tree	d4ab20579c88d2f85be99fe71db859938fdb57ab	tree
parent	90a15695a684fe56c065f39cdbe65c2b3650aa3d	commit \| diff

Fix KDC null dereference on large TGS replies

For TGS requests, dispatch() doesn't set state->active_realm, which
leads to a NULL dereference in finish_dispatch() if the reply is too
big for UDP. Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
the active realm was a global and was set when process_tgs_req()
called setup_server_realm().

Move TGS decoding out of process_tgs_req() so that we can set
state->active_realm before any errors requiring response. Add a test
case.

[ghudson@mit.edu: edited commit message; added test case; reduced code
duplication; removed server handle from process_tgs_req() parameters]

ticket: 8666
tags: pullup
target_version: 1.16-next
target_version: 1.15-next

src/kdc/Makefile.in		diff \| blob \| blame \| history
src/kdc/dispatch.c		diff \| blob \| blame \| history
src/kdc/do_tgs_req.c		diff \| blob \| blame \| history
src/kdc/kdc_util.h		diff \| blob \| blame \| history
src/kdc/t_bigreply.py	[new file with mode: 0644]	blob