From 289555f989b42f2b8d13efe4904dc3515433d5e5 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 29 Dec 2009 02:42:51 +0000 Subject: [PATCH] MITKRB5-SA-2009-003 CVE-2009-3295 KDC null deref in referrals On certain error conditions, prep_reprocess_req() calls kdc_err() with a null pointer as the format string, causing a null dereference and denial of service. Legitimate protocol requests can trigger this problem. ticket: 6608 tags: pullup target_version: 1.7.1 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23533 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/do_tgs_req.c | 2 +- src/lib/kadm5/logger.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 4a778f412..26fde1e0c 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -1251,7 +1251,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) free(temp_buf); if (retval) { /* no match found */ - kdc_err(kdc_context, retval, 0); + kdc_err(kdc_context, retval, "unable to find realm of host"); goto cleanup; } if (realms == 0) { diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c index a3f433910..384e7a8bb 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c @@ -189,6 +189,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list char *cp; char *syslogp; + if (whoami == NULL || format == NULL) + return; + /* Make the header */ snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); /* -- 2.26.2