projects / krb5.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 982264e)
pull up r25525 from trunk
authorTom Yu <tlyu@mit.edu>
Tue, 6 Dec 2011 20:52:18 +0000 (20:52 +0000)
committerTom Yu <tlyu@mit.edu>
Tue, 6 Dec 2011 20:52:18 +0000 (20:52 +0000)
 ------------------------------------------------------------------------
 r25525 | tlyu | 2011-12-06 15:42:46 -0500 (Tue, 06 Dec 2011) | 8 lines

 ticket: 7042
 subject: SA-2011-007 KDC null pointer deref in TGS handling [CVE-2011-1530]
 target_version: 1.10
 tags: pullup

 Fix a null pointer dereference condition that could cause a denial of
 service.

ticket: 7042
version_fixed: 1.10
status: resolved

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-10@25526 dc483132-0cff-0310-8789-dd5450dbe970

src/kdc/Makefile.in patch | blob | history
src/kdc/do_tgs_req.c patch | blob | history
src/kdc/t_emptytgt.py [new file with mode: 0644] patch | blob

diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index 118f8f78033c8738797298286a655ea3cd2c251a..8994a6a7676e48e5dcfcddb0667a79bf66385db0 100644 (file)
--- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
@@ -71,6 +71,7 @@ check-unix:: rtest
 
 check-pytests::
        $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
+       $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
 
 install::
        $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 0f001d67c328cacc27fff8aeb85d85aec1608f91..56d9869c160d9608497640855b86b3a886c0be50 100644 (file)
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -238,7 +238,8 @@ tgt_again:
                     if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
                         errcode = find_alternate_tgs(request, &server);
                         firstpass = 0;
-                        goto tgt_again;
+                        if (errcode == 0)
+                            goto tgt_again;
                     }
                 }
                 status = "UNKNOWN_SERVER";
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
new file mode 100644 (file)
index 0000000..1760bcd
--- /dev/null
+++ b/src/kdc/t_emptytgt.py
@@ -0,0 +1,8 @@
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+    fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')
MIT implementation of the Kerberos network authentication protocol. This repo may be rebased, so don't base your work on it. Use git://github.com/krb5/krb5 instead.