svn rev #24622: trunk/src/ kdc/ plugins/kdb/ldap/libkdb_ldap/
tlyu@MIT.EDU
tlyu at MIT.EDU
Wed Feb 9 15:25:08 EST 2011
http://src.mit.edu/fisheye/changelog/krb5/?cs=24622
Commit By: tlyu
Log Message:
ticket: 6860
subject: KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
tags: pullup
target_version: 1.9.1
[CVE-2011-0281 CVE-2011-0282] Fix some LDAP back end principal name
handling that could cause the KDC to hang or crash.
[CVE-2011-0283] Fix a KDC null pointer dereference introduced in krb5-1.9.
Changed Files:
U trunk/src/kdc/dispatch.c
U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
Modified: trunk/src/kdc/dispatch.c
===================================================================
--- trunk/src/kdc/dispatch.c 2011-02-09 20:25:03 UTC (rev 24621)
+++ trunk/src/kdc/dispatch.c 2011-02-09 20:25:08 UTC (rev 24622)
@@ -115,7 +115,8 @@
kdc_insert_lookaside(pkt, *response);
#endif
- if (is_tcp == 0 && (*response)->length > max_dgram_reply_size) {
+ if (is_tcp == 0 && *response != NULL &&
+ (*response)->length > max_dgram_reply_size) {
too_big_for_udp:
krb5_free_data(kdc_context, *response);
retval = make_too_big_error(response);
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 2011-02-09 20:25:03 UTC (rev 24621)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h 2011-02-09 20:25:08 UTC (rev 24622)
@@ -102,14 +102,18 @@
#define LDAP_SEARCH(base, scope, filter, attrs) LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
#define LDAP_SEARCH_1(base, scope, filter, attrs, status_check) \
- do { \
- st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
- if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
- tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
- if (ldap_server_handle) \
- ld = ldap_server_handle->ldap_handle; \
- } \
- }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
+ tempst = 0; \
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, \
+ NULL, &timelimit, LDAP_NO_LIMIT, &result); \
+ if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+ tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
+ if (ldap_server_handle) \
+ ld = ldap_server_handle->ldap_handle; \
+ if (tempst == 0) \
+ st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, \
+ NULL, NULL, &timelimit, \
+ LDAP_NO_LIMIT, &result); \
+ } \
\
if (status_check != IGNORE_STATUS) { \
if (tempst != 0) { \
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 2011-02-09 20:25:03 UTC (rev 24621)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c 2011-02-09 20:25:08 UTC (rev 24622)
@@ -302,6 +302,7 @@
{
krb5_ldap_server_handle *handle = *ldap_server_handle;
+ ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
|| (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2011-02-09 20:25:03 UTC (rev 24621)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2011-02-09 20:25:08 UTC (rev 24622)
@@ -487,12 +487,11 @@
* portion, then the first portion of the principal name SHOULD be
* "krbtgt". All this check is done in the immediate block.
*/
- if (searchfor->length == 2)
- if ((strncasecmp(searchfor->data[0].data, "krbtgt",
- FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
- (strncasecmp(searchfor->data[1].data, defrealm,
- FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
+ if (searchfor->length == 2) {
+ if (data_eq_string(searchfor->data[0], "krbtgt") &&
+ data_eq_string(searchfor->data[1], defrealm))
return 0;
+ }
/* first check the length, if they are not equal, then they are not same */
if (strlen(defrealm) != searchfor->realm.length)
Modified: trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2011-02-09 20:25:03 UTC (rev 24621)
+++ trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c 2011-02-09 20:25:08 UTC (rev 24622)
@@ -78,10 +78,10 @@
krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
unsigned int flags, krb5_db_entry **entry_ptr)
{
- char *user=NULL, *filter=NULL, **subtree=NULL;
+ char *user=NULL, *filter=NULL, *filtuser=NULL;
unsigned int tree=0, ntrees=1, princlen=0;
krb5_error_code tempst=0, st=0;
- char **values=NULL, *cname=NULL;
+ char **values=NULL, **subtree=NULL, *cname=NULL;
LDAP *ld=NULL;
LDAPMessage *result=NULL, *ent=NULL;
krb5_ldap_context *ldap_context=NULL;
@@ -115,12 +115,18 @@
if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
goto cleanup;
- princlen = strlen(FILTER) + strlen(user) + 2 + 1; /* 2 for closing brackets */
+ filtuser = ldap_filter_correct(user);
+ if (filtuser == NULL) {
+ st = ENOMEM;
+ goto cleanup;
+ }
+
+ princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1; /* 2 for closing brackets */
if ((filter = malloc(princlen)) == NULL) {
st = ENOMEM;
goto cleanup;
}
- snprintf(filter, princlen, FILTER"%s))", user);
+ snprintf(filter, princlen, FILTER"%s))", filtuser);
if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
goto cleanup;
@@ -207,6 +213,9 @@
if (user)
free(user);
+ if (filtuser)
+ free(filtuser);
+
if (cname)
free(cname);
More information about the cvs-krb5
mailing list