svn rev #23731: branches/krb5-1-7/src/kdc/

tlyu@MIT.EDU tlyu at MIT.EDU
Wed Feb 17 00:11:45 EST 2010 

http://src.mit.edu/fisheye/changelog/krb5/?cs=23731
Commit By: tlyu
Log Message:
ticket: 6664
version_fixed: 1.7.2
status: resolved

pull up r23724 from trunk

 ------------------------------------------------------------------------
 r23724 | tlyu | 2010-02-16 17:10:17 -0500 (Tue, 16 Feb 2010) | 10 lines

 ticket: 6662
 subject: MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
 tags: pullup
 target_version: 1.8

 Code introduced in krb5-1.7 can cause an assertion failure if a
 KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
 doesn't match the msg_type field.  Thanks to Emmanuel Bouillon (NATO
 C3 Agency) for discovering and reporting this vulnerability.


Changed Files:
U   branches/krb5-1-7/src/kdc/do_as_req.c
U   branches/krb5-1-7/src/kdc/do_tgs_req.c
U   branches/krb5-1-7/src/kdc/fast_util.c
Modified: branches/krb5-1-7/src/kdc/do_as_req.c
===================================================================
--- branches/krb5-1-7/src/kdc/do_as_req.c	2010-02-17 03:41:03 UTC (rev 23730)
+++ branches/krb5-1-7/src/kdc/do_as_req.c	2010-02-17 05:11:45 UTC (rev 23731)
@@ -137,6 +137,11 @@
     session_key.contents = 0;
     enc_tkt_reply.authorization_data = NULL;
 
+    if (request->msg_type != KRB5_AS_REQ) {
+        status = "msg_type mismatch";
+        errcode = KRB5_BADMSGTYPE;
+        goto errout;
+    }
     errcode = kdc_make_rstate(&state);
     if (errcode != 0) {
 	status = "constructing state";

Modified: branches/krb5-1-7/src/kdc/do_tgs_req.c
===================================================================
--- branches/krb5-1-7/src/kdc/do_tgs_req.c	2010-02-17 03:41:03 UTC (rev 23730)
+++ branches/krb5-1-7/src/kdc/do_tgs_req.c	2010-02-17 05:11:45 UTC (rev 23731)
@@ -135,6 +135,8 @@
     retval = decode_krb5_tgs_req(pkt, &request);
     if (retval)
         return retval;
+    if (request->msg_type != KRB5_TGS_REQ)
+        return KRB5_BADMSGTYPE;
 
     /*
      * setup_server_realm() sets up the global realm-specific data pointer.

Modified: branches/krb5-1-7/src/kdc/fast_util.c
===================================================================
--- branches/krb5-1-7/src/kdc/fast_util.c	2010-02-17 03:41:03 UTC (rev 23730)
+++ branches/krb5-1-7/src/kdc/fast_util.c	2010-02-17 05:11:45 UTC (rev 23731)
@@ -384,7 +384,7 @@
     krb5_data *encoded_e_data = NULL;
 
     memset(outer_pa, 0, sizeof(outer_pa));
-    if (!state->armor_key)
+    if (!state || !state->armor_key)
 	return 0;
     fx_error = *err;
     fx_error.e_data.data = NULL;

More information about the cvs-krb5 mailing list