krb5 commit [krb5-1.15]: Make RC4 string-to-key more robust
Greg Hudson
ghudson at mit.edu
Mon Jul 17 22:59:32 EDT 2017
https://github.com/krb5/krb5/commit/86512c5713a6e2dc39c95b30c1299a484d30d58e
commit 86512c5713a6e2dc39c95b30c1299a484d30d58e
Author: Greg Hudson <ghudson at mit.edu>
Date: Fri Apr 14 21:41:20 2017 -0400
Make RC4 string-to-key more robust
krb5int_utf8cs_to_ucs2les() can read slightly beyond the end of the
input buffer if the buffer ends with an invalid UTF-8 sequence. When
computing the RC4 string-to-key result, make a zero-terminated copy of
the input string and use krb5int_utf8s_to_ucs2les() instead.
(cherry picked from commit b8814745049b5f401e3ae39a81dc1e14598ae48c)
ticket: 8576
version_fixed: 1.15.2
src/lib/crypto/krb/s2k_rc4.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/lib/crypto/krb/s2k_rc4.c b/src/lib/crypto/krb/s2k_rc4.c
index 49ad89d..7286637 100644
--- a/src/lib/crypto/krb/s2k_rc4.c
+++ b/src/lib/crypto/krb/s2k_rc4.c
@@ -10,6 +10,7 @@ krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp,
krb5_error_code err = 0;
krb5_crypto_iov iov;
krb5_data hash_out;
+ char *utf8;
unsigned char *copystr;
size_t copystrlen;
@@ -20,8 +21,11 @@ krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp,
return (KRB5_BAD_MSIZE);
/* We ignore salt per the Microsoft spec. */
- err = krb5int_utf8cs_to_ucs2les(string->data, string->length, ©str,
- ©strlen);
+ utf8 = k5memdup0(string->data, string->length, &err);
+ if (utf8 == NULL)
+ return err;
+ err = krb5int_utf8s_to_ucs2les(utf8, ©str, ©strlen);
+ free(utf8);
if (err)
return err;
More information about the cvs-krb5
mailing list