diff options
author | Cy Schubert <cy@FreeBSD.org> | 2022-11-24 14:22:13 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2022-12-01 14:25:10 +0000 |
commit | 387abd40650c755f1745533c5b4ec0b85a8b9582 (patch) | |
tree | ef22750285a615d735670737117b6a599241e334 | |
parent | e7dcb18d51088654948840a66ad3864a66f1cb96 (diff) | |
download | src-387abd40650c755f1745533c5b4ec0b85a8b9582.tar.gz src-387abd40650c755f1745533c5b4ec0b85a8b9582.zip |
heimdal: Fix NULL dereference when mangled realm message
Fix a NULL dereference in _kadm5_s_init_context() when the client
sends a mangled realm message.
PR: 267912
Reported by: Robert Morris <rtm@lcs.mit.edu>
(cherry picked from commit 05bc50bdb1c1ddbbeb853ea4b184aced0eca9b3f)
-rw-r--r-- | crypto/heimdal/kadmin/server.c | 4 | ||||
-rw-r--r-- | crypto/heimdal/lib/kadm5/marshall.c | 6 |
2 files changed, 8 insertions, 2 deletions
diff --git a/crypto/heimdal/kadmin/server.c b/crypto/heimdal/kadmin/server.c index 256c2bac89b7..2800a2e1fc29 100644 --- a/crypto/heimdal/kadmin/server.c +++ b/crypto/heimdal/kadmin/server.c @@ -516,7 +516,9 @@ handle_v5(krb5_context contextp, ret = krb5_read_priv_message(contextp, ac, &fd, ¶ms); if(ret) krb5_err(contextp, 1, ret, "krb5_read_priv_message"); - _kadm5_unmarshal_params(contextp, ¶ms, &realm_params); + ret = _kadm5_unmarshal_params(contextp, ¶ms, &realm_params); + if(ret) + krb5_err(contextp, 1, ret, "Could not read or parse kadm5 parameters"); } initial = ticket->ticket.flags.initial; diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c index 65804afbf92b..38b9855021b2 100644 --- a/crypto/heimdal/lib/kadm5/marshall.c +++ b/crypto/heimdal/lib/kadm5/marshall.c @@ -335,8 +335,12 @@ _kadm5_unmarshal_params(krb5_context context, goto out; params->mask = mask; - if(params->mask & KADM5_CONFIG_REALM) + if (params->mask & KADM5_CONFIG_REALM) { ret = krb5_ret_string(sp, ¶ms->realm); + if (params->realm == NULL) { + ret = EINVAL; + } + } out: krb5_storage_free(sp); |