krb5 commit [krb5-1.11]: Multi-realm KDC null deref [CVE-2013-1418]

Tom Yu tlyu at MIT.EDU
Mon Nov 4 15:44:02 EST 2013


https://github.com/krb5/krb5/commit/05c544eef3633b774ca38154ba4c2bf3416b471b
commit 05c544eef3633b774ca38154ba4c2bf3416b471b
Author: Tom Yu <tlyu at mit.edu>
Date:   Mon Nov 4 15:33:09 2013 -0500

    Multi-realm KDC null deref [CVE-2013-1418]
    
    If a KDC serves multiple realms, certain requests can cause
    setup_server_realm() to dereference a null pointer, crashing the KDC.
    
    CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
    
    A related but more minor vulnerability requires authentication to
    exploit, and is only present if a third-party KDC database module can
    dereference a null pointer under certain conditions.
    
    (back ported from commit 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf)
    
    ticket: 7756 (new)
    version_fixed: 1.11.4
    status: resolved

 src/kdc/main.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/src/kdc/main.c b/src/kdc/main.c
index 1624046..8a085a2 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -125,6 +125,9 @@ setup_server_realm(struct server_handle *handle, krb5_principal sprinc)
     int kdc_numrealms = handle->kdc_numrealms;
 
     kret = 0;
+    if (sprinc == NULL)
+        return NULL;
+
     if (kdc_numrealms > 1) {
         if (!(newrealm = find_realm_data(handle, sprinc->realm.data,
                                          (krb5_ui_4) sprinc->realm.length)))


More information about the cvs-krb5 mailing list