From: Greg Hudson Date: Mon, 29 Dec 2014 18:17:56 +0000 (-0500) Subject: Fix gssrpc data leakage [CVE-2014-9423] X-Git-Tag: krb5-1.14-alpha1~169 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c;p=thirdparty%2Fkrb5.git Fix gssrpc data leakage [CVE-2014-9423] [MITKRB5-SA-2015-001] In svcauth_gss_accept_sec_context(), do not copy bytes from the union context into the handle field we send to the client. We do not use this handle field, so just supply a fixed string of "xxxx". In gss_union_ctx_id_struct, remove the unused "interposer" field which was causing part of the union context to remain uninitialized. ticket: 8058 (new) target_version: 1.13.1 tags: pullup --- diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h index e56b9c1a58..2b5145e079 100644 --- a/src/lib/gssapi/mechglue/mglueP.h +++ b/src/lib/gssapi/mechglue/mglueP.h @@ -25,7 +25,6 @@ do { \ */ typedef struct gss_union_ctx_id_struct { struct gss_union_ctx_id_struct *loopback; - struct gss_union_ctx_id_struct *interposer; gss_OID mech_type; gss_ctx_id_t internal_ctx_id; } gss_union_ctx_id_desc, *gss_union_ctx_id_t; diff --git a/src/lib/rpc/svc_auth_gss.c b/src/lib/rpc/svc_auth_gss.c index 09a353412f..b81c4a3496 100644 --- a/src/lib/rpc/svc_auth_gss.c +++ b/src/lib/rpc/svc_auth_gss.c @@ -65,16 +65,6 @@ extern const gss_OID_desc * const gss_mech_spkm3; extern SVCAUTH svc_auth_none; -/* - * from mit-krb5-1.2.1 mechglue/mglueP.h: - * Array of context IDs typed by mechanism OID - */ -typedef struct gss_union_ctx_id_t { - gss_OID mech_type; - gss_ctx_id_t internal_ctx_id; -} gss_union_ctx_id_desc, *gss_union_ctx_id_t; - - static auth_gssapi_log_badauth_func log_badauth = NULL; static caddr_t log_badauth_data = NULL; static auth_gssapi_log_badauth2_func log_badauth2 = NULL; @@ -239,16 +229,8 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst, gd->ctx = GSS_C_NO_CONTEXT; goto errout; } - /* - * ANDROS: krb5 mechglue returns ctx of size 8 - two pointers, - * one to the mechanism oid, one to the internal_ctx_id - */ - if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) { - fprintf(stderr, "svcauth_gss_accept_context: out of memory\n"); - goto errout; - } - memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc)); - gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc); + gr->gr_ctx.value = "xxxx"; + gr->gr_ctx.length = 4; /* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version... */ gr->gr_win = sizeof(gd->seqmask) * 8; @@ -520,8 +502,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) { gss_release_buffer(&min_stat, &gr.gr_token); - mem_free(gr.gr_ctx.value, - sizeof(gss_union_ctx_id_desc)); ret_freegc (AUTH_FAILED); } *no_dispatch = TRUE; @@ -531,7 +511,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg, gss_release_buffer(&min_stat, &gr.gr_token); gss_release_buffer(&min_stat, &gd->checksum); - mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc)); if (!call_stat) ret_freegc (AUTH_FAILED);