]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bcc91c8)
Multi-realm KDC null deref [CVE-2013-1418]
authorTom Yu <tlyu@mit.edu>
Mon, 4 Nov 2013 18:44:29 +0000 (13:44 -0500)
committerTom Yu <tlyu@mit.edu>
Mon, 4 Nov 2013 19:37:05 +0000 (14:37 -0500)
If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC.

CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C

A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.

ticket: 7755 (new)
target_version: 1.12
tags: pullup

src/kdc/main.c patch | blob | blame | history

diff --git a/src/kdc/main.c b/src/kdc/main.c
index 0f5961acb333439f80e1888dd5c96f2191aebfa4..a7ffe635d97ce9412b78045434fa1f816caac049 100644 (file)
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -124,6 +124,9 @@ setup_server_realm(struct server_handle *handle, krb5_principal sprinc)
     kdc_realm_t **kdc_realmlist = handle->kdc_realmlist;
     int kdc_numrealms = handle->kdc_numrealms;
 
+    if (sprinc == NULL)
+        return NULL;
+
     if (kdc_numrealms > 1) {
         if (!(newrealm = find_realm_data(handle, sprinc->realm.data,
                                          (krb5_ui_4) sprinc->realm.length)))
Mirror of https://github.com/krb5/krb5.git