From 749d377fa357351a7bbba51f8aae72cdf0629592 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni <viktor@twosigma.com> Date: Tue, 5 Dec 2017 18:49:50 -0500 Subject: [PATCH] Security: Avoid NULL structure pointer member dereference This can happen in the error path when processing malformed AS requests with a NULL client name. Bug originally introduced on Fri Feb 13 09:26:01 2015 +0100 in commit: a873e21d7c06f22943a90a41dc733ae76799390d kdc: base _kdc_fast_mk_error() on krb5_mk_error_ext() Original patch by Jeffrey Altman <jaltman@secure-endpoints.com> (cherry picked from commit 1a6a6e462dc2ac6111f9e02c6852ddec4849b887) --- kdc/kerberos5.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 95a74927f7..675b406b82 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -2226,15 +2226,17 @@ _kdc_as_rep(kdc_request_t r, /* * In case of a non proxy error, build an error message. */ - if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) { + if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) { ret = _kdc_fast_mk_error(context, r, &error_method, r->armor_crypto, &req->req_body, ret, r->e_text, r->server_princ, - &r->client_princ->name, - &r->client_princ->realm, + r->client_princ ? + &r->client_princ->name : NULL, + r->client_princ ? + &r->client_princ->realm : NULL, NULL, NULL, reply); if (ret)