45 lines
1.7 KiB
Diff
45 lines
1.7 KiB
Diff
|
commit 524688ce87a15fc75f87efc8c039ba4c7d5c197b
|
||
|
|
Author: Greg Hudson <ghudson@mit.edu>
|
||
|
|
Date: Tue Jul 15 12:56:01 2014 -0400
|
||
|
|
|
||
|
|
Fix null deref in SPNEGO acceptor [CVE-2014-4344]
|
||
|
|
|
||
|
|
When processing a continuation token, acc_ctx_cont was dereferencing
|
||
|
|
the initial byte of the token without checking the length. This could
|
||
|
|
result in a null dereference.
|
||
|
|
|
||
|
|
CVE-2014-4344:
|
||
|
|
|
||
|
|
In MIT krb5 1.5 and newer, an unauthenticated or partially
|
||
|
|
authenticated remote attacker can cause a NULL dereference and
|
||
|
|
application crash during a SPNEGO negotiation by sending an empty
|
||
|
|
token as the second or later context token from initiator to acceptor.
|
||
|
|
The attacker must provide at least one valid context token in the
|
||
|
|
security context negotiation before sending the empty token. This can
|
||
|
|
be done by an unauthenticated attacker by forcing SPNEGO to
|
||
|
|
renegotiate the underlying mechanism, or by using IAKERB to wrap an
|
||
|
|
unauthenticated AS-REQ as the first token.
|
||
|
|
|
||
|
|
CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
|
||
|
|
|
||
|
|
[kaduk@mit.edu: CVE summary, CVSSv2 vector]
|
||
|
|
|
||
|
|
ticket: 7970 (new)
|
||
|
|
subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
|
||
|
|
target_version: 1.12.2
|
||
|
|
tags: pullup
|
||
|
|
|
||
|
|
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
|
||
|
|
index 8f829d8..2aa6810 100644
|
||
|
|
--- a/src/lib/gssapi/spnego/spnego_mech.c
|
||
|
|
+++ b/src/lib/gssapi/spnego/spnego_mech.c
|
||
|
|
@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat,
|
||
|
|
|
||
|
|
ptr = bufstart = buf->value;
|
||
|
|
#define REMAIN (buf->length - (ptr - bufstart))
|
||
|
|
- if (REMAIN > INT_MAX)
|
||
|
|
+ if (REMAIN == 0 || REMAIN > INT_MAX)
|
||
|
|
return GSS_S_DEFECTIVE_TOKEN;
|
||
|
|
|
||
|
|
/*
|