MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals

On certain error conditions, prep_reprocess_req() calls kdc_err() with
a null pointer as the format string, causing a null dereference and
denial of service.  Legitimate protocol requests can trigger this
problem.

ticket: 6608
tags: pullup
target_version: 1.7.1

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23533 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 4a778f412072df42f9ea86f646ec1847d0e79b2b..26fde1e0c94e82f7f6ca85467a030755a53e83b5 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1251,7 +1251,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
             free(temp_buf);
             if (retval) {
                 /* no match found */
-                kdc_err(kdc_context, retval, 0);
+                kdc_err(kdc_context, retval, "unable to find realm of host");
                 goto cleanup;
             }
             if (realms == 0) {

diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index a3f4339104cfcbabe992a9411156486943eda3d4..384e7a8bb5c046e8cf1e559595241b39144a6e91 100644 (file)
--- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -189,6 +189,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list
     char        *cp;
     char        *syslogp;
 
+    if (whoami == NULL || format == NULL)
+        return;
+
     /* Make the header */
     snprintf(outbuf, sizeof(outbuf), "%s: ", whoami);
     /*