Skip Menu |

Subject: git commit
Download (untitled) / with headers
text/plain 1.4KiB

Fix build_principal memory bug [CVE-2015-2697]

In build_principal_va(), use k5memdup0() instead of strdup() to make a
copy of the realm, to ensure that we allocate the correct number of
bytes and do not read past the end of the input string. This bug
affects krb5_build_principal(), krb5_build_principal_va(), and
krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not


In MIT krb5 1.7 and later, an authenticated attacker may be able to
cause a KDC to crash using a TGS request with a large realm field
beginning with a null byte. If the KDC attempts to find a referral to
answer the request, it constructs a principal name for lookup using
krb5_build_principal() with the requested realm. Due to a bug in this
function, the null byte causes only one byte be allocated for the
realm field of the constructed principal, far less than its length.
Subsequent operations on the lookup principal may cause a read beyond
the end of the mapped memory region, causing the KDC process to crash.


(cherry picked from commit f0c094a1b745d91ef2f9a4eae2149aac026a5789)
(cherry picked from commit 67bdf8189b24efca8a244316e7d51bd52d0dbda9)
Author: Greg Hudson <>
Committer: Tom Yu <>
Commit: 41d987867a29a8a8fa6f99de63d9e05b8792e91a
Branch: krb5-1.13
src/lib/krb5/krb/bld_princ.c | 6 ++----
1 files changed, 2 insertions(+), 4 deletions(-)