Skip Menu |
 

Subject: krb5kdc deref uninit memory on the stack on unknown principal (pk-init)
do_as_req.c : in process_as_req memset "reply" to 0.

Vendor's priority - Serious Bug
Vendor's patch - LHA-6397025-dont-deref-stack-memory
Including the patch

Crashes in de-ref of reply later when it tries to free memory, this is in the error path from non existant client principal.


diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c
--- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c 2008-11-22 13:06:24.000000000 -0800
+++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kdc/do_as_req.c 2008-11-22 17:37:33.000000000 -0800
@@ -105,7 +105,7 @@
ticket_reply.enc_part.ciphertext.data = 0;
e_data.data = 0;
encrypting_key.contents = 0;
- reply.padata = 0;
+ memset(&reply, 0, sizeof(reply));
session_key.contents = 0;
enc_tkt_reply.authorization_data = NULL;

From: tsitkova@mit.edu
Subject: SVN Commit
Fix data initialization in process_as_req function.

https://github.com/krb5/krb5/commit/5fb682827a9bf683f0a02db312d6fe3a358167d2
Commit By: tsitkova



Revision: 21291
Changed Files:
U trunk/src/kdc/do_as_req.c