svn rev #24431: branches/krb5-1-8/src/kdc/
tlyu@MIT.EDU
tlyu at MIT.EDU
Tue Oct 5 18:32:34 EDT 2010
http://src.mit.edu/fisheye/changelog/krb5/?cs=24431
Commit By: tlyu
Log Message:
ticket: 6797
status: resolved
version_fixed: 1.8.4
pull up r24429 from trunk
------------------------------------------------------------------------
r24429 | tlyu | 2010-10-05 17:05:19 -0400 (Tue, 05 Oct 2010) | 14 lines
ticket: 6797
subject: CVE-2010-1322 KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006)
tags: pullup
target_version: 1.8.4
When the KDC receives certain TGS-REQ messages, it may dereference an
uninitialized pointer while processing authorization data, causing a
crash, or in rare cases, unauthorized information disclosure, ticket
modification, or execution of arbitrary code. The crash may be
triggered by legitimate requests.
Correctly implement the filtering of authorization data items to avoid
leaving uninitialized pointers when omitting items.
Changed Files:
U branches/krb5-1-8/src/kdc/kdc_authdata.c
Modified: branches/krb5-1-8/src/kdc/kdc_authdata.c
===================================================================
--- branches/krb5-1-8/src/kdc/kdc_authdata.c 2010-10-05 21:44:14 UTC (rev 24430)
+++ branches/krb5-1-8/src/kdc/kdc_authdata.c 2010-10-05 22:32:34 UTC (rev 24431)
@@ -495,7 +495,7 @@
krb5_boolean copy,
krb5_boolean ignore_kdc_issued)
{
- size_t i, nadata = 0;
+ size_t i, j, nadata = 0;
krb5_authdata **authdata = *out_authdata;
if (in_authdata == NULL || in_authdata[0] == NULL)
@@ -529,16 +529,16 @@
in_authdata = tmp;
}
- for (i = 0; in_authdata[i] != NULL; i++) {
+ for (i = 0, j = 0; in_authdata[i] != NULL; i++) {
if (ignore_kdc_issued &&
is_kdc_issued_authdatum(context, in_authdata[i], 0)) {
free(in_authdata[i]->contents);
free(in_authdata[i]);
} else
- authdata[nadata + i] = in_authdata[i];
+ authdata[nadata + j++] = in_authdata[i];
}
- authdata[nadata + i] = NULL;
+ authdata[nadata + j] = NULL;
free(in_authdata);
More information about the cvs-krb5
mailing list