Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | From 9cb63711e63042f22da914ba039c4537b22e8fb0 Mon Sep 17 00:00:00 2001 |
| 2 | From: Greg Hudson <ghudson@mit.edu> |
| 3 | Date: Fri, 25 Sep 2015 12:51:47 -0400 |
| 4 | Subject: [PATCH 3/4] Fix build_principal memory bug [CVE-2015-2697] |
| 5 | |
| 6 | In build_principal_va(), use k5memdup0() instead of strdup() to make a |
| 7 | copy of the realm, to ensure that we allocate the correct number of |
| 8 | bytes and do not read past the end of the input string. This bug |
| 9 | affects krb5_build_principal(), krb5_build_principal_va(), and |
| 10 | krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not |
| 11 | affected. |
| 12 | |
| 13 | CVE-2015-2697: |
| 14 | |
| 15 | In MIT krb5 1.7 and later, an authenticated attacker may be able to |
| 16 | cause a KDC to crash using a TGS request with a large realm field |
| 17 | beginning with a null byte. If the KDC attempts to find a referral to |
| 18 | answer the request, it constructs a principal name for lookup using |
| 19 | krb5_build_principal() with the requested realm. Due to a bug in this |
| 20 | function, the null byte causes only one byte be allocated for the |
| 21 | realm field of the constructed principal, far less than its length. |
| 22 | Subsequent operations on the lookup principal may cause a read beyond |
| 23 | the end of the mapped memory region, causing the KDC process to crash. |
| 24 | |
| 25 | CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C |
| 26 | |
| 27 | ticket: 8252 (new) |
| 28 | target_version: 1.14 |
| 29 | tags: pullup |
| 30 | |
| 31 | Backport upstream commit: |
| 32 | https://github.com/krb5/krb5/commit/f0c094a1b745d91ef2f9a4eae2149aac026a5789 |
| 33 | |
| 34 | Upstream-Status: Backport |
| 35 | --- |
| 36 | src/lib/krb5/krb/bld_princ.c | 6 ++---- |
| 37 | 1 file changed, 2 insertions(+), 4 deletions(-) |
| 38 | |
| 39 | diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c |
| 40 | index ab6fed8..8604268 100644 |
| 41 | --- a/src/lib/krb5/krb/bld_princ.c |
| 42 | +++ b/src/lib/krb5/krb/bld_princ.c |
| 43 | @@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ, |
| 44 | data = malloc(size * sizeof(krb5_data)); |
| 45 | if (!data) { retval = ENOMEM; } |
| 46 | |
| 47 | - if (!retval) { |
| 48 | - r = strdup(realm); |
| 49 | - if (!r) { retval = ENOMEM; } |
| 50 | - } |
| 51 | + if (!retval) |
| 52 | + r = k5memdup0(realm, rlen, &retval); |
| 53 | |
| 54 | while (!retval && (component = va_arg(ap, char *))) { |
| 55 | if (count == size) { |
| 56 | -- |
| 57 | 1.9.1 |
| 58 | |