By sending an unusual but valid TGS-REQ, an authenticated remote
attacker can cause the KDC process to crash by dereferencing a null
pointer.
prep_reprocess_req() can cause a null pointer dereference when
processing a service principal name. Code in this function can
inappropriately pass a null pointer to strlcpy(). Unmodified client
software can trivially trigger this vulnerability, but the attacker
must have already authenticated and received a valid Kerberos ticket.
The vulnerable code was introduced by the implementation of new
service principal realm referral functionality in krb5-1.7, but was
corrected as a side effect of the KDC refactoring in krb5-1.11.
CVSSv2 vector: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:H/RL:O/RC:C
(cherry picked from commit
8ee70ec63931d1e38567905387ab9b1d45734d81)
ticket: 7622 (new)
version_fixed: 1.9.5
status: resolved
retval = ENOMEM;
goto cleanup;
}
- strlcpy(comp1_str,comp1->data,comp1->length+1);
+ if (comp1->data != NULL)
+ memcpy(comp1_str, comp1->data, comp1->length);
if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
retval = ENOMEM;
goto cleanup;
}
- strlcpy(temp_buf, comp2->data,comp2->length+1);
+ if (comp2->data != NULL)
+ memcpy(temp_buf, comp2->data, comp2->length);
retval = krb5int_get_domain_realm_mapping(kdc_context, temp_buf, &realms);
free(temp_buf);
if (retval) {
projects / thirdparty / krb5.git / commitdiff
