1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From 749d377fa357351a7bbba51f8aae72cdf0629592 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <viktor@twosigma.com>
Date: Tue, 5 Dec 2017 18:49:50 -0500
Subject: [PATCH] Security: Avoid NULL structure pointer member dereference
This can happen in the error path when processing malformed AS
requests with a NULL client name. Bug originally introduced on
Fri Feb 13 09:26:01 2015 +0100 in commit:
a873e21d7c06f22943a90a41dc733ae76799390d
kdc: base _kdc_fast_mk_error() on krb5_mk_error_ext()
Original patch by Jeffrey Altman <jaltman@secure-endpoints.com>
(cherry picked from commit 1a6a6e462dc2ac6111f9e02c6852ddec4849b887)
---
kdc/kerberos5.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 95a74927f7..675b406b82 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -2226,15 +2226,17 @@ _kdc_as_rep(kdc_request_t r,
/*
* In case of a non proxy error, build an error message.
*/
- if(ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
+ if (ret != 0 && ret != HDB_ERR_NOT_FOUND_HERE && reply->length == 0) {
ret = _kdc_fast_mk_error(context, r,
&error_method,
r->armor_crypto,
&req->req_body,
ret, r->e_text,
r->server_princ,
- &r->client_princ->name,
- &r->client_princ->realm,
+ r->client_princ ?
+ &r->client_princ->name : NULL,
+ r->client_princ ?
+ &r->client_princ->realm : NULL,
NULL, NULL,
reply);
if (ret)
|
