Multi-realm KDC null deref [CVE-2013-1418]

If a KDC serves multiple realms, certain requests can cause setup_server_realm() to dereference a null pointer, crashing the KDC. CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C A related but more minor vulnerability requires authentication to exploit, and is only present if a third-party KDC database module can dereference a null pointer under certain conditions. ticket: 7755 (new) target_version: 1.12 tags: pullup
author: Tom Yu <tlyu@mit.edu> 2013-11-04 13:44:29 -0500
committer: Tom Yu <tlyu@mit.edu> 2013-11-04 14:37:05 -0500
commit: 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf (patch)
tree: df5e1dc03fe0c6cf04f64a646ab2e9de9b9db35b /src/kdc
parent: bcc91c8d8b3d5b775cfde1ee461d7e0394070852 (diff)
download: krb5-5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf.tar.gz
krb5-5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf.tar.xz
krb5-5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 0f5961acb3..a7ffe635d9 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -124,6 +124,9 @@ setup_server_realm(struct server_handle *handle, krb5_principal sprinc)
     kdc_realm_t **kdc_realmlist = handle->kdc_realmlist;
     int kdc_numrealms = handle->kdc_numrealms;
 
+    if (sprinc == NULL)
+        return NULL;
+
     if (kdc_numrealms > 1) {
         if (!(newrealm = find_realm_data(handle, sprinc->realm.data,
                                          (krb5_ui_4) sprinc->realm.length)))
author	Tom Yu <tlyu@mit.edu>	2013-11-04 13:44:29 -0500
committer	Tom Yu <tlyu@mit.edu>	2013-11-04 14:37:05 -0500
commit	5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf (patch)
tree	df5e1dc03fe0c6cf04f64a646ab2e9de9b9db35b /src/kdc
parent	bcc91c8d8b3d5b775cfde1ee461d7e0394070852 (diff)
download	krb5-5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf.tar.gz krb5-5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf.tar.xz krb5-5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf.zip