krb5 commit [krb5-1.11]: Fix null deref in SPNEGO acceptor [CVE-2014-4344]

Tom Yu tlyu at mit.edu
Fri Feb 6 18:44:42 EST 2015


https://github.com/krb5/krb5/commit/90df9bcfe3124ccac2cf2399e3286103076a2271
commit 90df9bcfe3124ccac2cf2399e3286103076a2271
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Jul 15 12:56:01 2014 -0400

    Fix null deref in SPNEGO acceptor [CVE-2014-4344]
    
    When processing a continuation token, acc_ctx_cont was dereferencing
    the initial byte of the token without checking the length.  This could
    result in a null dereference.
    
    CVE-2014-4344:
    
    In MIT krb5 1.5 and newer, an unauthenticated or partially
    authenticated remote attacker can cause a NULL dereference and
    application crash during a SPNEGO negotiation by sending an empty
    token as the second or later context token from initiator to acceptor.
    The attacker must provide at least one valid context token in the
    security context negotiation before sending the empty token.  This can
    be done by an unauthenticated attacker by forcing SPNEGO to
    renegotiate the underlying mechanism, or by using IAKERB to wrap an
    unauthenticated AS-REQ as the first token.
    
        CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
    
    [kaduk at mit.edu: CVE summary, CVSSv2 vector]
    
    (cherry picked from commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b)
    
    ticket: 8114 (new)
    subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
    version_fixed: 1.11.6
    status: resolved

 src/lib/gssapi/spnego/spnego_mech.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 805c593..1c5a46b 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1437,7 +1437,7 @@ acc_ctx_cont(OM_uint32 *minstat,
 
 	ptr = bufstart = buf->value;
 #define REMAIN (buf->length - (ptr - bufstart))
-	if (REMAIN > INT_MAX)
+	if (REMAIN == 0 || REMAIN > INT_MAX)
 		return GSS_S_DEFECTIVE_TOKEN;
 
 	/*


More information about the cvs-krb5 mailing list