[krbdev.mit.edu #8666] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Mon Apr 23 20:17:26 EDT 2018
Fix KDC null dereference on large TGS replies
For TGS requests, dispatch() doesn't set state->active_realm, which
leads to a NULL dereference in finish_dispatch() if the reply is too
big for UDP. Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
the active realm was a global and was set when process_tgs_req()
called setup_server_realm().
Move TGS decoding out of process_tgs_req() so that we can set
state->active_realm before any errors requiring response. Add a test
case.
[ghudson at mit.edu: edited commit message; added test case; reduced code
duplication; removed server handle from process_tgs_req() parameters]
https://github.com/krb5/krb5/commit/6afa8b4abf8f7c5774d03e6b15ee7288ad68d725
Author: Robbie Harwood <rharwood at redhat.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 6afa8b4abf8f7c5774d03e6b15ee7288ad68d725
Branch: master
src/kdc/Makefile.in | 1 +
src/kdc/dispatch.c | 48 +++++++++++++++++++++++++++---------------------
src/kdc/do_tgs_req.c | 24 ++++++------------------
src/kdc/kdc_util.h | 5 ++---
src/kdc/t_bigreply.py | 19 +++++++++++++++++++
5 files changed, 55 insertions(+), 42 deletions(-)
More information about the krb5-bugs
mailing list