Fix gssrpc data leakage [CVE-2014-9423]

[MITKRB5-SA-2015-001] In svcauth_gss_accept_sec_context(), do not copy
bytes from the union context into the handle field we send to the
client.  We do not use this handle field, so just supply a fixed
string of "xxxx".

In gss_union_ctx_id_struct, remove the unused "interposer" field which
was causing part of the union context to remain uninitialized.

ticket: 8058 (new)
target_version: 1.13.1
tags: pullup

diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h
index e56b9c1a58f1b04542dfd433630db46c2a2e65a9..2b5145e079fe27517cbfe1a7c94113bfb184ac50 100644 (file)
--- a/src/lib/gssapi/mechglue/mglueP.h
+++ b/src/lib/gssapi/mechglue/mglueP.h
@@ -25,7 +25,6 @@ do {                                                          \
  */
 typedef struct gss_union_ctx_id_struct {
        struct gss_union_ctx_id_struct *loopback;
-       struct gss_union_ctx_id_struct *interposer;
        gss_OID                 mech_type;
        gss_ctx_id_t            internal_ctx_id;
 } gss_union_ctx_id_desc, *gss_union_ctx_id_t;

diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c
index 09a353412fe1e47ad68311ddac9af2cc49ad3ae5..b81c4a349632358f1b6f513600d2331b802305ca 100644 (file)
--- a/src/lib/rpc/svc_auth_gss.c
+++ b/src/lib/rpc/svc_auth_gss.c
@@ -65,16 +65,6 @@ extern const gss_OID_desc * const gss_mech_spkm3;
 
 extern SVCAUTH svc_auth_none;
 
-/*
- * from mit-krb5-1.2.1 mechglue/mglueP.h:
- * Array of context IDs typed by mechanism OID
- */
-typedef struct gss_union_ctx_id_t {
-  gss_OID     mech_type;
-  gss_ctx_id_t    internal_ctx_id;
-} gss_union_ctx_id_desc, *gss_union_ctx_id_t;
-
-
 static auth_gssapi_log_badauth_func log_badauth = NULL;
 static caddr_t log_badauth_data = NULL;
 static auth_gssapi_log_badauth2_func log_badauth2 = NULL;
@@ -239,16 +229,8 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst,
                gd->ctx = GSS_C_NO_CONTEXT;
                goto errout;
        }
-       /*
-        * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers,
-        * one to the mechanism oid, one to the internal_ctx_id
-        */
-       if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) {
-               fprintf(stderr, "svcauth_gss_accept_context: out of memory\n");
-               goto errout;
-       }
-       memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc));
-       gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc);
+       gr->gr_ctx.value = "xxxx";
+       gr->gr_ctx.length = 4;
 
        /* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version...  */
        gr->gr_win = sizeof(gd->seqmask) * 8;
@@ -520,8 +502,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg,
 
                if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) {
                        gss_release_buffer(&min_stat, &gr.gr_token);
-                       mem_free(gr.gr_ctx.value,
-                                sizeof(gss_union_ctx_id_desc));
                        ret_freegc (AUTH_FAILED);
                }
                *no_dispatch = TRUE;
@@ -531,7 +511,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg,
 
                gss_release_buffer(&min_stat, &gr.gr_token);
                gss_release_buffer(&min_stat, &gd->checksum);
-               mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc));
                if (!call_stat)
                        ret_freegc (AUTH_FAILED);