From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 19 Jul 2016 15:00:28 +0000 (-0400)
Subject: Fix S4U2Self KDC crash when anon is restricted
X-Git-Tag: krb5-1.13.6-final~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cce19103f7673edb54b1b8e5fa0a516bd009d2c3;p=thirdparty%2Fkrb5.git

Fix S4U2Self KDC crash when anon is restricted

In validate_as_request(), when enforcing restrict_anonymous_to_tgt,
use client.princ instead of request->client; the latter is NULL when
validating S4U2Self requests.

CVE-2016-3120:

In MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc
to dereference a null pointer if the restrict_anonymous_to_tgt option
is set to true, by making an S4U2Self request.

  CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:C

(cherry picked from commit 93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7)
[tlyu@mit.edu: removed test case depending on absent functionality]

ticket: 8458
version_fixed: 1.13.6
---

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 48be1ae2c5..10daec4930 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -700,7 +700,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
         return(KDC_ERR_MUST_USE_USER2USER);
     }
 
-    if (check_anon(kdc_active_realm, request->client, request->server) != 0) {
+    if (check_anon(kdc_active_realm, client.princ, request->server) != 0) {
         *status = "ANONYMOUS NOT ALLOWED";
         return(KDC_ERR_POLICY);
     }