diff options
author | Tom Yu <tlyu@mit.edu> | 2013-11-04 13:44:29 -0500 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2013-11-04 14:37:05 -0500 |
commit | 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf (patch) | |
tree | df5e1dc03fe0c6cf04f64a646ab2e9de9b9db35b /src/kdc | |
parent | bcc91c8d8b3d5b775cfde1ee461d7e0394070852 (diff) | |
download | krb5-5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf.tar.gz krb5-5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf.tar.xz krb5-5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf.zip |
Multi-realm KDC null deref [CVE-2013-1418]
If a KDC serves multiple realms, certain requests can cause
setup_server_realm() to dereference a null pointer, crashing the KDC.
CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
A related but more minor vulnerability requires authentication to
exploit, and is only present if a third-party KDC database module can
dereference a null pointer under certain conditions.
ticket: 7755 (new)
target_version: 1.12
tags: pullup
Diffstat (limited to 'src/kdc')
-rw-r--r-- | src/kdc/main.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/kdc/main.c b/src/kdc/main.c index 0f5961acb3..a7ffe635d9 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -124,6 +124,9 @@ setup_server_realm(struct server_handle *handle, krb5_principal sprinc) kdc_realm_t **kdc_realmlist = handle->kdc_realmlist; int kdc_numrealms = handle->kdc_numrealms; + if (sprinc == NULL) + return NULL; + if (kdc_numrealms > 1) { if (!(newrealm = find_realm_data(handle, sprinc->realm.data, (krb5_ui_4) sprinc->realm.length))) |