diff options
| author | Tom Yu <tlyu@mit.edu> | 2012-07-31 22:45:08 -0400 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2012-08-01 13:42:26 -0400 |
| commit | 3551501359c6d2396fa4779d378ae165f5b37242 (patch) | |
| tree | d5d9c24305b0d2468d5b1f0f7de9d3cf18af2928 /src/kdc/kdc_util.c | |
| parent | f6f5c680aa0a57f581e5f192cef46567cc7415e2 (diff) | |
| download | krb5-3551501359c6d2396fa4779d378ae165f5b37242.tar.gz krb5-3551501359c6d2396fa4779d378ae165f5b37242.tar.xz krb5-3551501359c6d2396fa4779d378ae165f5b37242.zip | |
Fix KDC heap corruption vuln [CVE-2012-1015]
Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015]. The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).
Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.
ticket: 7225 (new)
target_version: 1.9.5
tags: pullup
Diffstat (limited to 'src/kdc/kdc_util.c')
| -rw-r--r-- | src/kdc/kdc_util.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index d3babe7f9..a2a9b4b07 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -2490,6 +2490,7 @@ kdc_handle_protected_negotiation(krb5_data *req_pkt, krb5_kdc_req *request, return 0; pa.magic = KV5M_PA_DATA; pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; + memset(&checksum, 0, sizeof(checksum)); retval = krb5_c_make_checksum(kdc_context,0, reply_key, KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); if (retval != 0) |