diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2022-11-24 14:22:13 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2022-12-01 14:25:52 +0000 |
| commit | 709a426717c9d8e9eedf92a07f5410f6c05409ac (patch) | |
| tree | ee18b9d1ae2e4c20eb2b2b6dc8c6bb58365cf321 | |
| parent | 8d3c6e82cdcac5fa31836df6d3d067efd2e0e3bc (diff) | |
| download | src-709a426717c9d8e9eedf92a07f5410f6c05409ac.tar.gz src-709a426717c9d8e9eedf92a07f5410f6c05409ac.zip | |
heimdal: Fix NULL dereference when mangled realm message
Fix a NULL dereference in _kadm5_s_init_context() when the client
sends a mangled realm message.
PR: 267912
Reported by: Robert Morris <rtm@lcs.mit.edu>
(cherry picked from commit 05bc50bdb1c1ddbbeb853ea4b184aced0eca9b3f)
| -rw-r--r-- | crypto/heimdal/kadmin/server.c | 4 | ||||
| -rw-r--r-- | crypto/heimdal/lib/kadm5/marshall.c | 6 |
2 files changed, 8 insertions, 2 deletions
diff --git a/crypto/heimdal/kadmin/server.c b/crypto/heimdal/kadmin/server.c index 256c2bac89b7..2800a2e1fc29 100644 --- a/crypto/heimdal/kadmin/server.c +++ b/crypto/heimdal/kadmin/server.c @@ -516,7 +516,9 @@ handle_v5(krb5_context contextp, ret = krb5_read_priv_message(contextp, ac, &fd, ¶ms); if(ret) krb5_err(contextp, 1, ret, "krb5_read_priv_message"); - _kadm5_unmarshal_params(contextp, ¶ms, &realm_params); + ret = _kadm5_unmarshal_params(contextp, ¶ms, &realm_params); + if(ret) + krb5_err(contextp, 1, ret, "Could not read or parse kadm5 parameters"); } initial = ticket->ticket.flags.initial; diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c index 65804afbf92b..38b9855021b2 100644 --- a/crypto/heimdal/lib/kadm5/marshall.c +++ b/crypto/heimdal/lib/kadm5/marshall.c @@ -335,8 +335,12 @@ _kadm5_unmarshal_params(krb5_context context, goto out; params->mask = mask; - if(params->mask & KADM5_CONFIG_REALM) + if (params->mask & KADM5_CONFIG_REALM) { ret = krb5_ret_string(sp, ¶ms->realm); + if (params->realm == NULL) { + ret = EINVAL; + } + } out: krb5_storage_free(sp); |