CVE-2010-1321 GSS-API lib null pointer deref (MITKRB5-SA-2010-005)
authorTom Yu <tlyu@mit.edu>
Wed, 19 May 2010 18:09:37 +0000 (18:09 +0000)
committerTom Yu <tlyu@mit.edu>
Wed, 19 May 2010 18:09:37 +0000 (18:09 +0000)
Make krb5_gss_accept_sec_context() check for a null authenticator
checksum pointer before attempting to dereference it.

ticket: 6725
tags: pullup
target_version: 1.8.2

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24056 dc483132-0cff-0310-8789-dd5450dbe970

src/lib/gssapi/krb5/accept_sec_context.c

index 2d70646907597af964fa0af2b09d30a0efe38558..e3ec8224b4d525529264dcfac137fbce69957cce 100644 (file)
@@ -640,6 +640,13 @@ kg_accept_krb5(minor_status, context_handle,
     }
 #endif
 
+    if (authdat->checksum == NULL) {
+        /* missing checksum counts as "inappropriate type" */
+        code = KRB5KRB_AP_ERR_INAPP_CKSUM;
+        major_status = GSS_S_FAILURE;
+        goto fail;
+    }
+
     if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) {
         /* Samba does not send 0x8003 GSS-API checksums */
         krb5_boolean valid;