krb5 commit: Fix read overflow in KDC sort_pa_data()

Greg Hudson ghudson at mit.edu
Mon Mar 19 16:10:01 EDT 2018


https://github.com/krb5/krb5/commit/b38e318cea18fd65647189eed64aef83bf1cb772
commit b38e318cea18fd65647189eed64aef83bf1cb772
Author: Greg Hudson <ghudson at mit.edu>
Date:   Thu Mar 15 20:27:30 2018 -0400

    Fix read overflow in KDC sort_pa_data()
    
    sort_pa_data() could read past the end of pa_order if all preauth
    systems in the table have the PA_REPLACES_KEY flag, causing a
    dereference of preauth_systems[-1].  This situation became possible
    after commit fea1a488924faa3938ef723feaa1ff12d22a91ff with the
    elimination of static_preauth_systems; before that there were always
    table entries which did not have PA_REPLACES_KEY set.
    
    Fix this bug by removing the loop to count n_key_replacers, and
    instead get the count from the prior loop by stopping once we move all
    of the key-replacing modules to the front.

 src/kdc/kdc_preauth.c |    9 +++++----
 1 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 6f34dc2..fdf67d9 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -598,17 +598,18 @@ sort_pa_order(krb5_context context, krb5_kdc_req *request, int *pa_order)
                 break;
             }
         }
+        /* If we didn't find one, we have moved all of the key-replacing
+         * modules, and i is the count of those modules. */
+        if (j == n_repliers)
+            break;
     }
+    n_key_replacers = i;
 
     if (request->padata != NULL) {
         /* Now reorder the subset of modules which replace the key,
          * bubbling those which handle pa_data types provided by the
          * client ahead of the others.
          */
-        for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
-            continue;
-        }
-        n_key_replacers = i;
         for (i = 0; i < n_key_replacers; i++) {
             if (pa_list_includes(request->padata,
                                  preauth_systems[pa_order[i]].type))


More information about the cvs-krb5 mailing list