MITKRB5-SA-2003-05: Buffer overrun and underrun in principal name handling

Ken Raeburn raeburn at MIT.EDU
Wed Mar 19 20:04:32 EST 2003

                 MIT krb5 Security Advisory 2003-005


Topic: Buffer overrun and underrun in principal name handling

Severity: SERIOUS


Buffer overrun and underrun problems exist in Kerberos principal name
handling in unusual cases, such as names with zero components, names
with one empty component, or host-based service principal names with
no host name component.


 * Corruption of malloc pool, probably leading to program crash.

   + The KDC may be vulnerable.

   + Depending on the malloc implementation and platform, it may be
     possible to build more serious exploits on this.

 * Reference to data just past the end of an array in the KDC, for
   comparison against certain fixed data.  May result in crashing the


MIT Kerberos 5, all released versions though 1.2.7 and 1.3-alpha1.


The following patches should fix the most urgent aspects of the
problems in the 1.2.7 release.  If these patches do not apply cleanly
to 1.2.6 and earlier versions, the corresponding changes should be
fairly straightforward.  The patch to krb5.hin should change any
missed overrun cases in this area into null pointer dereferences,
which will be more likely to crash the program instead of referencing
arbitrary data.

Index: include/krb5.hin
RCS file: /cvs/krbdev/krb5/src/include/krb5.hin,v
retrieving revision
diff -p -u -r1. krb5.hin
--- include/krb5.hin	2002/04/16 23:47:53
+++ include/krb5.hin	2003/03/19 00:38:54
@@ -326,7 +326,7 @@ typedef krb5_const krb5_principal_data F
 #define	krb5_princ_size(context, princ) (princ)->length
 #define	krb5_princ_type(context, princ) (princ)->type
 #define	krb5_princ_name(context, princ) (princ)->data
-#define	krb5_princ_component(context, princ,i) ((princ)->data + i)
+#define	krb5_princ_component(context, princ,i) (i < krb5_princ_size(context, princ) ? ((princ)->data + i) : NULL)
  * end "base-defs.h"
Index: kdc/kdc_util.c
RCS file: /cvs/krbdev/krb5/src/kdc/kdc_util.c,v
retrieving revision
diff -p -u -r5. kdc_util.c
--- kdc/kdc_util.c	2002/10/31 00:38:34
+++ kdc/kdc_util.c	2003/03/19 00:39:00
@@ -157,7 +157,8 @@ realm_compare(princ1, princ2)
 krb5_boolean krb5_is_tgs_principal(principal)
 	krb5_principal	principal;
-	if ((krb5_princ_component(kdc_context, principal, 0)->length ==
+	if (krb5_princ_size(kdc_context, principal) > 0 &&
+	    (krb5_princ_component(kdc_context, principal, 0)->length ==
 	     KRB5_TGS_NAME_SIZE) &&
 	    (!memcmp(krb5_princ_component(kdc_context, principal, 0)->data,
Index: lib/krb5/krb/unparse.c
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/unparse.c,v
retrieving revision
diff -p -u -r5.27.4.1 unparse.c
--- lib/krb5/krb/unparse.c	2002/08/12 22:55:01
+++ lib/krb5/krb/unparse.c	2003/03/19 00:39:02
@@ -153,7 +153,8 @@ krb5_unparse_name_ext(context, principal
 		*q++ = COMPONENT_SEP;
-	q--;			/* Back up last component separator */
+	if (i > 0)
+	    q--;		/* Back up last component separator */
 	*q++ = REALM_SEP;
 	cp = krb5_princ_realm(context, principal)->data;

The problem exists in other parts of the code as well, but should only
result in crashing application servers when the realm has been
misconfigured to use broken service names, or crashing application
clients when they are supplied broken principal names.


Thanks to Nalin Dahyabhai of Red Hat for bringing the problems to our


For more information, contact Ken Raeburn <raeburn at>, Sam
Hartman <hartmans at>, or Marshall Vale <mjv at>.

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 231 bytes
Desc: not available
Url :
-------------- next part --------------
kerberos-announce mailing list
kerberos-announce at

More information about the krbdev mailing list