[krbdev.mit.edu #8666] Explicit NULL deref in finish_dispatch()
Robbie Harwood via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Wed Apr 18 17:09:57 EDT 2018
In dispatch.c, dispatch() allocates a dispatch_state structure called
state, and initializes some fields. However, unless krb5_is_as_req(pkt)
is true, state->active_realm does not get initialized before the state
object is passed to finish_dispatch_cache.
finish_dispatch_cache() passes through state to finish_dispatch().
finish_dispatch() invokes the kdc_context macro in a call to
krb5_free_data(), which dereferences state->active_realm (for
realm_tgsprinc).
This is an explicit NULL dereference. Worth noting also is that
make_too_big_error() will attempt to dereference the same value later in
finish_dispatch().
Thanks,
--Robbie
More information about the krb5-bugs
mailing list