From: Tom Yu Date: Tue, 29 Dec 2009 02:42:51 +0000 (+0000) Subject: MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals X-Git-Tag: krb5-1.8-alpha1~50 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=289555f989b42f2b8d13efe4904dc3515433d5e5;p=krb5.git MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals On certain error conditions, prep_reprocess_req() calls kdc_err() with a null pointer as the format string, causing a null dereference and denial of service. Legitimate protocol requests can trigger this problem. ticket: 6608 tags: pullup target_version: 1.7.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23533 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 4a778f412..26fde1e0c 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1251,7 +1251,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) free(temp_buf); if (retval) { /* no match found */ - kdc_err(kdc_context, retval, 0); + kdc_err(kdc_context, retval, "unable to find realm of host"); goto cleanup; } if (realms == 0) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c index a3f433910..384e7a8bb 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c @@ -189,6 +189,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list char *cp; char *syslogp; + if (whoami == NULL || format == NULL) + return; + /* Make the header */ snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); /*