svn rev #24429: trunk/src/kdc/
tlyu@MIT.EDU
tlyu at MIT.EDU
Tue Oct 5 17:05:19 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24429
Commit By: tlyu
Log Message:
ticket: 6797
subject: CVE-2010-1322 KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006)
tags: pullup
target_version: 1.8.4
When the KDC receives certain TGS-REQ messages, it may dereference an
uninitialized pointer while processing authorization data, causing a
crash, or in rare cases, unauthorized information disclosure, ticket
modification, or execution of arbitrary code. The crash may be
triggered by legitimate requests.
Correctly implement the filtering of authorization data items to avoid
leaving uninitialized pointers when omitting items.
Changed Files:
U trunk/src/kdc/kdc_authdata.c
Modified: trunk/src/kdc/kdc_authdata.c
===================================================================
--- trunk/src/kdc/kdc_authdata.c 2010-10-05 19:59:49 UTC (rev 24428)
+++ trunk/src/kdc/kdc_authdata.c 2010-10-05 21:05:19 UTC (rev 24429)
@@ -495,7 +495,7 @@
krb5_boolean copy,
krb5_boolean ignore_kdc_issued)
{
- size_t i, nadata = 0;
+ size_t i, j, nadata = 0;
krb5_authdata **authdata = *out_authdata;
if (in_authdata == NULL || in_authdata[0] == NULL)
@@ -529,16 +529,16 @@
in_authdata = tmp;
}
- for (i = 0; in_authdata[i] != NULL; i++) {
+ for (i = 0, j = 0; in_authdata[i] != NULL; i++) {
if (ignore_kdc_issued &&
is_kdc_issued_authdatum(context, in_authdata[i], 0)) {
free(in_authdata[i]->contents);
free(in_authdata[i]);
} else
- authdata[nadata + i] = in_authdata[i];
+ authdata[nadata + j++] = in_authdata[i];
}
- authdata[nadata + i] = NULL;
+ authdata[nadata + j] = NULL;
free(in_authdata);
More information about the cvs-krb5
mailing list