From: Tom Yu <tlyu@mit.edu>
Date: Tue, 5 Oct 2010 21:05:19 +0000 (+0000)
Subject: CVE-2010-1322 KDC uninitialized pointer crash in authorization data handling (MITKRB5... 
X-Git-Tag: krb5-1.9-beta1~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26ff86b99636dfd136d93b5cc7e50623be4d70fa;p=thirdparty%2Fkrb5.git

CVE-2010-1322 KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006)

When the KDC receives certain TGS-REQ messages, it may dereference an
uninitialized pointer while processing authorization data, causing a
crash, or in rare cases, unauthorized information disclosure, ticket
modification, or execution of arbitrary code.  The crash may be
triggered by legitimate requests.

Correctly implement the filtering of authorization data items to avoid
leaving uninitialized pointers when omitting items.

ticket: 6797
tags: pullup
target_version: 1.8.4

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24429 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c
index fa6a72e392..a4f81a60a2 100644
--- a/src/kdc/kdc_authdata.c
+++ b/src/kdc/kdc_authdata.c
@@ -495,7 +495,7 @@ merge_authdata (krb5_context context,
                 krb5_boolean copy,
                 krb5_boolean ignore_kdc_issued)
 {
-    size_t i, nadata = 0;
+    size_t i, j, nadata = 0;
     krb5_authdata **authdata = *out_authdata;
 
     if (in_authdata == NULL || in_authdata[0] == NULL)
@@ -529,16 +529,16 @@ merge_authdata (krb5_context context,
         in_authdata = tmp;
     }
 
-    for (i = 0; in_authdata[i] != NULL; i++) {
+    for (i = 0, j = 0; in_authdata[i] != NULL; i++) {
         if (ignore_kdc_issued &&
             is_kdc_issued_authdatum(context, in_authdata[i], 0)) {
             free(in_authdata[i]->contents);
             free(in_authdata[i]);
         } else
-            authdata[nadata + i] = in_authdata[i];
+            authdata[nadata + j++] = in_authdata[i];
     }
 
-    authdata[nadata + i] = NULL;
+    authdata[nadata + j] = NULL;
 
     free(in_authdata);