pull up r23533 from trunk

 ------------------------------------------------------------------------
 r23533 | tlyu | 2009-12-28 21:42:51 -0500 (Mon, 28 Dec 2009) | 10 lines

 ticket: 6608
 subject: MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals
 tags: pullup
 target_version: 1.7.1

 On certain error conditions, prep_reprocess_req() calls kdc_err() with
 a null pointer as the format string, causing a null dereference and
 denial of service.  Legitimate protocol requests can trigger this
 problem.

ticket: 6608
version_fixed: 1.7.1
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23534 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 298e1329358aff4e36a7a277bf855b6768193bef..12180ff93afbb5ba84bc3f5877c9142d61be4adf 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
             free(temp_buf);
             if (retval) {
                 /* no match found */
-                kdc_err(kdc_context, retval, 0);
+                kdc_err(kdc_context, retval, "unable to find realm of host");
                 goto cleanup;
             }
             if (realms == 0) {

diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index efff81872dc108a815719be612c3708cd828f76d..ef3735a374cad536de211c4cc1964073b51d6107 100644 (file)
--- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list
     char       *cp;
     char       *syslogp;
 
+    if (whoami == NULL || format == NULL)
+        return;
+
     /* Make the header */
     snprintf(outbuf, sizeof(outbuf), "%s: ", whoami);
     /*