- upstream patch to correct a denial-of-service in KDCs in 1.7 and later

1 files changed, 42 insertions, 0 deletions

diff --git a/2010-001-patch.txt b/2010-001-patch.txt
new file mode 100644
index 0000000..e14c722
--- /dev/null
+++ b/2010-001-patch.txt
@@ -0,0 +1,42 @@
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 52fbda5..680e6a1 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
+     session_key.contents = 0;
+     enc_tkt_reply.authorization_data = NULL;
+ 
++    if (request->msg_type != KRB5_AS_REQ) {
++        status = "msg_type mismatch";
++        errcode = KRB5_BADMSGTYPE;
++        goto errout;
++    }
+     errcode = kdc_make_rstate(&state);
+     if (errcode != 0) {
+ 	status = "constructing state";
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index 12180ff..c8cf692 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
+     retval = decode_krb5_tgs_req(pkt, &request);
+     if (retval)
+         return retval;
++    if (request->msg_type != KRB5_TGS_REQ)
++        return KRB5_BADMSGTYPE;
+ 
+     /*
+      * setup_server_realm() sets up the global realm-specific data pointer.
+diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c
+index d88e0cb..2639047 100644
+--- a/src/kdc/fast_util.c
++++ b/src/kdc/fast_util.c
+@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error
+     krb5_data *encoded_e_data = NULL;
+ 
+     memset(outer_pa, 0, sizeof(outer_pa));
+-    if (!state->armor_key)
++    if (!state || !state->armor_key)
+ 	return 0;
+     fx_error = *err;
+     fx_error.e_data.data = NULL;