From 26ff86b99636dfd136d93b5cc7e50623be4d70fa Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 5 Oct 2010 21:05:19 +0000 Subject: [PATCH] CVE-2010-1322 KDC uninitialized pointer crash in authorization data handling (MITKRB5-SA-2010-006) When the KDC receives certain TGS-REQ messages, it may dereference an uninitialized pointer while processing authorization data, causing a crash, or in rare cases, unauthorized information disclosure, ticket modification, or execution of arbitrary code. The crash may be triggered by legitimate requests. Correctly implement the filtering of authorization data items to avoid leaving uninitialized pointers when omitting items. ticket: 6797 tags: pullup target_version: 1.8.4 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24429 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/kdc_authdata.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/kdc/kdc_authdata.c b/src/kdc/kdc_authdata.c index fa6a72e39..a4f81a60a 100644 --- a/src/kdc/kdc_authdata.c +++ b/src/kdc/kdc_authdata.c @@ -495,7 +495,7 @@ merge_authdata (krb5_context context, krb5_boolean copy, krb5_boolean ignore_kdc_issued) { - size_t i, nadata = 0; + size_t i, j, nadata = 0; krb5_authdata **authdata = *out_authdata; if (in_authdata == NULL || in_authdata[0] == NULL) @@ -529,16 +529,16 @@ merge_authdata (krb5_context context, in_authdata = tmp; } - for (i = 0; in_authdata[i] != NULL; i++) { + for (i = 0, j = 0; in_authdata[i] != NULL; i++) { if (ignore_kdc_issued && is_kdc_issued_authdatum(context, in_authdata[i], 0)) { free(in_authdata[i]->contents); free(in_authdata[i]); } else - authdata[nadata + i] = in_authdata[i]; + authdata[nadata + j++] = in_authdata[i]; } - authdata[nadata + i] = NULL; + authdata[nadata + j] = NULL; free(in_authdata); -- 2.26.2