[krbdev.mit.edu #8666] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Wed May 2 01:26:06 EDT 2018
Fix KDC null dereference on large TGS replies
For TGS requests, dispatch() doesn't set state->active_realm, which
leads to a NULL dereference in finish_dispatch() if the reply is too
big for UDP. Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
the active realm was a global and was set when process_tgs_req()
called setup_server_realm().
Move TGS decoding out of process_tgs_req() so that we can set
state->active_realm before any errors requiring response. Add a test
case.
[ghudson at mit.edu: edited commit message; added test case; reduced code
duplication; removed server handle from process_tgs_req() parameters]
(cherry picked from commit 6afa8b4abf8f7c5774d03e6b15ee7288ad68d725)
https://github.com/krb5/krb5/commit/be1e46f32c603cde7880cf07ed830a7320e959e1
Author: Robbie Harwood <rharwood at redhat.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: be1e46f32c603cde7880cf07ed830a7320e959e1
Branch: krb5-1.15
src/kdc/Makefile.in | 1 +
src/kdc/dispatch.c | 46 ++++++++++++++++++++++++++--------------------
src/kdc/do_tgs_req.c | 24 ++++++------------------
src/kdc/kdc_util.h | 5 ++---
src/kdc/t_bigreply.py | 12 ++++++++++++
5 files changed, 47 insertions(+), 41 deletions(-)
More information about the krb5-bugs
mailing list