krb5 commit [krb5-1.18]: Fix KDC null deref on TGS inner body null server

Greg Hudson ghudson at mit.edu
Mon Mar 14 16:11:18 EDT 2022


https://github.com/krb5/krb5/commit/fd9decf85055acca218c34c9e1222dc692b973d4
commit fd9decf85055acca218c34c9e1222dc692b973d4
Author: Greg Hudson <ghudson at mit.edu>
Date:   Tue Aug 3 01:15:27 2021 -0400

    Fix KDC null deref on TGS inner body null server
    
    After the KDC decodes a FAST inner body, it does not check for a null
    server.  Prior to commit 39548a5b17bbda9eeb63625a201cfd19b9de1c5b this
    would typically result in an error from krb5_unparse_name(), but with
    the addition of get_local_tgt() it results in a null dereference.  Add
    a null check.
    
    Reported by Joseph Sutton of Catalyst.
    
    CVE-2021-37750:
    
    In MIT krb5 releases 1.14 and later, an authenticated attacker can
    cause a null dereference in the KDC by sending a FAST TGS request with
    no server field.
    
    (cherry picked from commit d775c95af7606a51bf79547a94fa52ddd1cb7f49)
    
    ticket: 9008
    version_fixed: 1.18.5

 src/kdc/do_tgs_req.c |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 241f34e..386ed5f 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -208,6 +208,11 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
         status = "FIND_FAST";
         goto cleanup;
     }
+    if (sprinc == NULL) {
+        status = "NULL_SERVER";
+        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+        goto cleanup;
+    }
 
     errcode = get_local_tgt(kdc_context, &sprinc->realm, header_server,
                             &local_tgt, &local_tgt_storage, &local_tgt_key);


More information about the cvs-krb5 mailing list