From 19c7a3451b55615c4a48eebf00d4b6d6be0f1603 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Tue, 16 Feb 2010 21:53:47 +0000 Subject: [PATCH] - upstream patch to correct a denial-of-service in KDCs in 1.7 and later --- 2010-001-patch.txt | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 2010-001-patch.txt diff --git a/2010-001-patch.txt b/2010-001-patch.txt new file mode 100644 index 0000000..e14c722 --- /dev/null +++ b/2010-001-patch.txt @@ -0,0 +1,42 @@ +diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c +index 52fbda5..680e6a1 100644 +--- a/src/kdc/do_as_req.c ++++ b/src/kdc/do_as_req.c +@@ -137,6 +137,11 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, + session_key.contents = 0; + enc_tkt_reply.authorization_data = NULL; + ++ if (request->msg_type != KRB5_AS_REQ) { ++ status = "msg_type mismatch"; ++ errcode = KRB5_BADMSGTYPE; ++ goto errout; ++ } + errcode = kdc_make_rstate(&state); + if (errcode != 0) { + status = "constructing state"; +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index 12180ff..c8cf692 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -135,6 +135,8 @@ process_tgs_req(krb5_data *pkt, const krb5_fulladdr *from, + retval = decode_krb5_tgs_req(pkt, &request); + if (retval) + return retval; ++ if (request->msg_type != KRB5_TGS_REQ) ++ return KRB5_BADMSGTYPE; + + /* + * setup_server_realm() sets up the global realm-specific data pointer. +diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c +index d88e0cb..2639047 100644 +--- a/src/kdc/fast_util.c ++++ b/src/kdc/fast_util.c +@@ -384,7 +384,7 @@ krb5_error_code kdc_fast_handle_error + krb5_data *encoded_e_data = NULL; + + memset(outer_pa, 0, sizeof(outer_pa)); +- if (!state->armor_key) ++ if (!state || !state->armor_key) + return 0; + fx_error = *err; + fx_error.e_data.data = NULL;