krb5 commit [krb5-1.20]: Ensure array count consistency in kadm5 RPC

ghudson at mit.edu ghudson at mit.edu
Tue Jul 11 18:56:56 EDT 2023 

https://github.com/krb5/krb5/commit/c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df
commit c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df
Author: Greg Hudson <ghudson at mit.edu>
Date:   Wed Jun 21 10:57:39 2023 -0400

    Ensure array count consistency in kadm5 RPC
    
    In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
    key_data array count when decoding.  Otherwise when the structure is
    later freed, xdr_array() could iterate over the wrong number of
    elements, either leaking some memory or freeing uninitialized
    pointers.  Reported by Robert Morris.
    
    CVE-2023-36054:
    
    An authenticated attacker can cause a kadmind process to crash by
    freeing uninitialized pointers.  Remote code execution is unlikely.
    An attacker with control of a kadmin server can cause a kadmin client
    to crash by freeing uninitialized pointers.
    
    (cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
    
    ticket: 9099
    version_fixed: 1.20.2

 src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index 0411c3fd3..287cae750 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
 			     int v)
 {
 	unsigned int n;
+	bool_t r;
 
 	if (!xdr_krb5_principal(xdrs, &objp->principal)) {
 		return (FALSE);
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
 	if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
 		return (FALSE);
 	}
+	if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
+		return (FALSE);
+	}
 	if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
 		return (FALSE);
 	}
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
 		return FALSE;
 	}
 	n = objp->n_key_data;
-	if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
-		       &n, ~0, sizeof(krb5_key_data),
-		       xdr_krb5_key_data_nocontents)) {
+	r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
+		      sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
+	objp->n_key_data = n;
+	if (!r) {
 		return (FALSE);
 	}

More information about the cvs-krb5 mailing list