Fix kpasswd UDP ping-pong [CVE-2002-2443]
The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.
Thanks to Vincent Danen for alerting us to this issue.
(cherry picked from commit cf1a0c411b2668c57c41e9c4efd15ba17b6b322c)
Author: Tom Yu <email@example.com>
src/kadmin/server/schpw.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)