krb5 commit [krb5-1.14]: Fix build_principal memory bug [CVE-2015-2697]

Tom Yu tlyu at mit.edu
Mon Oct 26 15:39:41 EDT 2015 

https://github.com/krb5/krb5/commit/67bdf8189b24efca8a244316e7d51bd52d0dbda9
commit 67bdf8189b24efca8a244316e7d51bd52d0dbda9
Author: Greg Hudson <ghudson at mit.edu>
Date:   Fri Sep 25 12:51:47 2015 -0400

    Fix build_principal memory bug [CVE-2015-2697]
    
    In build_principal_va(), use k5memdup0() instead of strdup() to make a
    copy of the realm, to ensure that we allocate the correct number of
    bytes and do not read past the end of the input string.  This bug
    affects krb5_build_principal(), krb5_build_principal_va(), and
    krb5_build_principal_alloc_va().  krb5_build_principal_ext() is not
    affected.
    
    CVE-2015-2697:
    
    In MIT krb5 1.7 and later, an authenticated attacker may be able to
    cause a KDC to crash using a TGS request with a large realm field
    beginning with a null byte.  If the KDC attempts to find a referral to
    answer the request, it constructs a principal name for lookup using
    krb5_build_principal() with the requested realm.  Due to a bug in this
    function, the null byte causes only one byte be allocated for the
    realm field of the constructed principal, far less than its length.
    Subsequent operations on the lookup principal may cause a read beyond
    the end of the mapped memory region, causing the KDC process to crash.
    
    CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C
    
    (cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789)
    
    ticket: 8252
    version_fixed: 1.14
    status: resolved

 src/lib/krb5/krb/bld_princ.c |    6 ++----
 1 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
index ab6fed8..8604268 100644
--- a/src/lib/krb5/krb/bld_princ.c
+++ b/src/lib/krb5/krb/bld_princ.c
@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
     data = malloc(size * sizeof(krb5_data));
     if (!data) { retval = ENOMEM; }
 
-    if (!retval) {
-        r = strdup(realm);
-        if (!r) { retval = ENOMEM; }
-    }
+    if (!retval)
+        r = k5memdup0(realm, rlen, &retval);
 
     while (!retval && (component = va_arg(ap, char *))) {
         if (count == size) {

More information about the cvs-krb5 mailing list