From: Tom Yu Date: Tue, 29 Dec 2009 02:56:46 +0000 (+0000) Subject: pull up r23533 from trunk X-Git-Tag: krb5-1.7.1-beta1~25 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=6419f49ecd068cb116d1ebe6010ac03f22aa9f83;p=krb5.git pull up r23533 from trunk ------------------------------------------------------------------------ r23533 | tlyu | 2009-12-28 21:42:51 -0500 (Mon, 28 Dec 2009) | 10 lines ticket: 6608 subject: MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals tags: pullup target_version: 1.7.1 On certain error conditions, prep_reprocess_req() calls kdc_err() with a null pointer as the format string, causing a null dereference and denial of service. Legitimate protocol requests can trigger this problem. ticket: 6608 version_fixed: 1.7.1 status: resolved git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23534 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 298e13293..12180ff93 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) free(temp_buf); if (retval) { /* no match found */ - kdc_err(kdc_context, retval, 0); + kdc_err(kdc_context, retval, "unable to find realm of host"); goto cleanup; } if (realms == 0) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c index efff81872..ef3735a37 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c @@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list char *cp; char *syslogp; + if (whoami == NULL || format == NULL) + return; + /* Make the header */ snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); /*