MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service

Code introduced in krb5-1.7 can cause an assertion failure if a KDC-REQ is internally inconsistent, specifically if the ASN.1 tag doesn't match the msg_type field. Thanks to Emmanuel Bouillon (NATO C3 Agency) for discovering and reporting this vulnerability. ticket: 6662 tags: pullup target_version: 1.8 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23724 dc483132-0cff-0310-8789-dd5450dbe970
author: Tom Yu <tlyu@mit.edu> 2010-02-16 22:10:17 +0000
committer: Tom Yu <tlyu@mit.edu> 2010-02-16 22:10:17 +0000
commit: aef4a62723bc1e4cdcdb15c130729d3e130426fd (patch)
tree: f76f4f833d390ef9e955261231dd6151f23c60f7 /src/kdc/do_as_req.c
parent: 373a23547c7c256b6eaf71713706dd847c826f2b (diff)
download: krb5-aef4a62723bc1e4cdcdb15c130729d3e130426fd.tar.gz
krb5-aef4a62723bc1e4cdcdb15c130729d3e130426fd.tar.xz
krb5-aef4a62723bc1e4cdcdb15c130729d3e130426fd.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index b183dcfc7..39242979a 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -139,6 +139,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     session_key.contents = 0;
     enc_tkt_reply.authorization_data = NULL;
 
+    if (request->msg_type != KRB5_AS_REQ) {
+        status = "msg_type mismatch";
+        errcode = KRB5_BADMSGTYPE;
+        goto errout;
+    }
     errcode = kdc_make_rstate(&state);
     if (errcode != 0) {
         status = "constructing state";
author	Tom Yu <tlyu@mit.edu>	2010-02-16 22:10:17 +0000
committer	Tom Yu <tlyu@mit.edu>	2010-02-16 22:10:17 +0000
commit	aef4a62723bc1e4cdcdb15c130729d3e130426fd (patch)
tree	f76f4f833d390ef9e955261231dd6151f23c60f7 /src/kdc/do_as_req.c
parent	373a23547c7c256b6eaf71713706dd847c826f2b (diff)
download	krb5-aef4a62723bc1e4cdcdb15c130729d3e130426fd.tar.gz krb5-aef4a62723bc1e4cdcdb15c130729d3e130426fd.tar.xz krb5-aef4a62723bc1e4cdcdb15c130729d3e130426fd.zip