]> git.ipfire.org Git - thirdparty/krb5.git/commitdiff
projects / thirdparty / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a197e92)
Fix kadmind server validation [CVE-2014-9422]
authorGreg Hudson <ghudson@mit.edu>
Mon, 29 Dec 2014 18:27:42 +0000 (13:27 -0500)
committerGreg Hudson <ghudson@mit.edu>
Wed, 4 Feb 2015 19:26:15 +0000 (14:26 -0500)
[MITKRB5-SA-2015-001] In kadmind's check_rpcsec_auth(), use
data_eq_string() instead of strncmp() to check components of the
server principal, so that we don't erroneously match left substrings
of "kadmin", "history", or the realm.

ticket: 8057 (new)
target_version: 1.13.1
tags: pullup

src/kadmin/server/kadm_rpc_svc.c patch | blob | blame | history

diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c
index 3837931b6f342187fdf9f773a912b3170087285b..f4d2a7cba7b4c5b6de0479ab8dbbe30e097aee24 100644 (file)
--- a/src/kadmin/server/kadm_rpc_svc.c
+++ b/src/kadmin/server/kadm_rpc_svc.c
@@ -4,7 +4,7 @@
  *
  */
 
-#include <k5-platform.h>
+#include <k5-int.h>
 #include <gssrpc/rpc.h>
 #include <gssapi/gssapi_krb5.h> /* for gss_nt_krb5_name */
 #include <syslog.h>
@@ -296,14 +296,8 @@ check_rpcsec_auth(struct svc_req *rqstp)
      c1 = krb5_princ_component(kctx, princ, 0);
      c2 = krb5_princ_component(kctx, princ, 1);
      realm = krb5_princ_realm(kctx, princ);
-     if (strncmp(handle->params.realm, realm->data, realm->length) == 0
-        && strncmp("kadmin", c1->data, c1->length) == 0) {
-
-         if (strncmp("history", c2->data, c2->length) == 0)
-              goto fail_princ;
-         else
-              success = 1;
-     }
+     success = data_eq_string(*realm, handle->params.realm) &&
+            data_eq_string(*c1, "kadmin") && !data_eq_string(*c2, "history");
 
 fail_princ:
      if (!success) {
Mirror of https://github.com/krb5/krb5.git