MITKRB5-SA-2010-001 CVE-2010-0283 KDC denial of service
authorTom Yu <tlyu@mit.edu>
Tue, 16 Feb 2010 22:10:17 +0000 (22:10 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 16 Feb 2010 22:10:17 +0000 (22:10 +0000)
Code introduced in krb5-1.7 can cause an assertion failure if a
KDC-REQ is internally inconsistent, specifically if the ASN.1 tag
doesn't match the msg_type field.  Thanks to Emmanuel Bouillon (NATO
C3 Agency) for discovering and reporting this vulnerability.

ticket: 6662
tags: pullup
target_version: 1.8

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23724 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/do_as_req.c
src/kdc/do_tgs_req.c
src/kdc/fast_util.c

index b183dcfc7b2671b7a93089d1b415e237042cd95a..39242979aa3c8944123a29dc5b6d00f295dad18f 100644 (file)
@@ -139,6 +139,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt,
     session_key.contents = 0;
     enc_tkt_reply.authorization_data = NULL;
 
+    if (request->msg_type != KRB5_AS_REQ) {
+        status = "msg_type mismatch";
+        errcode = KRB5_BADMSGTYPE;
+        goto errout;
+    }
     errcode = kdc_make_rstate(&state);
     if (errcode != 0) {
         status = "constructing state";
index cb0496f9da3059f71639a52402b537c26871ac4e..44b5791bc143d96460d57a665308988e0f4b2366 100644 (file)
@@ -143,6 +143,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from,
     retval = decode_krb5_tgs_req(pkt, &request);
     if (retval)
         return retval;
+    if (request->msg_type != KRB5_TGS_REQ)
+        return KRB5_BADMSGTYPE;
 
     /*
      * setup_server_realm() sets up the global realm-specific data pointer.
index 06b1e2bc7a60503707f89ac4388f68dc48650c89..e411e320d4de0d1b168c499aa768c407277f382b 100644 (file)
@@ -384,7 +384,7 @@ kdc_fast_handle_error(krb5_context context,
     krb5_data *encoded_e_data = NULL;
 
     memset(outer_pa, 0, sizeof(outer_pa));
-    if (!state->armor_key)
+    if (!state || !state->armor_key)
         return 0;
     fx_error = *err;
     fx_error.e_data.data = NULL;