svn rev #24628: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/

tlyu@MIT.EDU tlyu at MIT.EDU
Wed Feb 9 16:38:08 EST 2011


http://src.mit.edu/fisheye/changelog/krb5/?cs=24628
Commit By: tlyu
Log Message:
ticket: 6865
subject: KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282]
version_fixed: 1.7.2
status: resolved

pull up r24622 from trunk, except for the fix for CVE-2011-0283, which
only applies to krb5-1.9.

 ------------------------------------------------------------------------
 r24622 | tlyu | 2011-02-09 15:25:08 -0500 (Wed, 09 Feb 2011) | 10 lines

 ticket: 6860
 subject: KDC denial of service attacks [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
 tags: pullup
 target_version: 1.9.1

 [CVE-2011-0281 CVE-2011-0282] Fix some LDAP back end principal name
 handling that could cause the KDC to hang or crash.

 [CVE-2011-0283] Fix a KDC null pointer dereference introduced in krb5-1.9.


Changed Files:
U   branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
U   branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
U   branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
U   branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
Modified: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
===================================================================
--- branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h	2011-02-09 21:38:04 UTC (rev 24627)
+++ branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h	2011-02-09 21:38:08 UTC (rev 24628)
@@ -101,14 +101,18 @@
 #define LDAP_SEARCH(base, scope, filter, attrs)   LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
 
 #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check)        \
-      do { \
-	  st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
-	  if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-              tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
-	      if (ldap_server_handle) \
-		  ld = ldap_server_handle->ldap_handle; \
-	  } \
-      }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
+    tempst = 0;								\
+    st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL,	\
+			   NULL, &timelimit, LDAP_NO_LIMIT, &result);	\
+    if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+	tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle);	\
+	if (ldap_server_handle)						\
+	    ld = ldap_server_handle->ldap_handle;			\
+	if (tempst == 0)						\
+	    st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0,	\
+				   NULL, NULL, &timelimit,		\
+				   LDAP_NO_LIMIT, &result);		\
+    }									\
       \
       if (status_check != IGNORE_STATUS) { \
         if (tempst != 0) { \

Modified: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
===================================================================
--- branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c	2011-02-09 21:38:04 UTC (rev 24627)
+++ branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c	2011-02-09 21:38:08 UTC (rev 24628)
@@ -296,6 +296,7 @@
 {
     krb5_ldap_server_handle     *handle = *ldap_server_handle;
 
+    ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
     if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
 	|| (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
 	return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);

Modified: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
===================================================================
--- branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	2011-02-09 21:38:04 UTC (rev 24627)
+++ branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c	2011-02-09 21:38:08 UTC (rev 24628)
@@ -449,12 +449,11 @@
      * portion, then the first portion of the principal name SHOULD be
      * "krbtgt".  All this check is done in the immediate block.
      */
-    if (searchfor->length == 2)
-	if ((strncasecmp(searchfor->data[0].data, "krbtgt",
-			 FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
-	    (strncasecmp(searchfor->data[1].data, defrealm,
-			 FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
+    if (searchfor->length == 2) {
+	if (data_eq_string(searchfor->data[0], "krbtgt") &&
+	    data_eq_string(searchfor->data[1], defrealm))
 	    return 0;
+    }
 
     /* first check the length, if they are not equal, then they are not same */
     if (strlen(defrealm) != searchfor->realm.length)

Modified: branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
===================================================================
--- branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2011-02-09 21:38:04 UTC (rev 24627)
+++ branches/krb5-1-7/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c	2011-02-09 21:38:08 UTC (rev 24628)
@@ -106,10 +106,10 @@
     int *nentries;		/* how much room/how many found */
     krb5_boolean *more;		/* are there more? */
 {
-    char                        *user=NULL, *filter=NULL, **subtree=NULL;
+    char                        *user=NULL, *filter=NULL, *filtuser=NULL;
     unsigned int                tree=0, ntrees=1, princlen=0;
     krb5_error_code	        tempst=0, st=0;
-    char                        **values=NULL, *cname=NULL;
+    char                        **values=NULL, **subtree=NULL, *cname=NULL;
     LDAP	                *ld=NULL;
     LDAPMessage	                *result=NULL, *ent=NULL;
     krb5_ldap_context           *ldap_context=NULL;
@@ -145,12 +145,18 @@
     if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
 	goto cleanup;
 
-    princlen = strlen(FILTER) + strlen(user) + 2 + 1;      /* 2 for closing brackets */
+    filtuser = ldap_filter_correct(user);
+    if (filtuser == NULL) {
+        st = ENOMEM;
+        goto cleanup;
+    }
+
+    princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1;  /* 2 for closing brackets */
     if ((filter = malloc(princlen)) == NULL) {
 	st = ENOMEM;
 	goto cleanup;
     }
-    snprintf(filter, princlen, FILTER"%s))", user);
+    snprintf(filter, princlen, FILTER"%s))", filtuser);
 
     if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
 	goto cleanup;
@@ -234,6 +240,9 @@
     if (user)
 	free(user);
 
+    if (filtuser)
+	free(filtuser);
+
     if (cname)
 	free(cname);
 




More information about the cvs-krb5 mailing list