Skip to content

Commit

Permalink
Fix LDAP null deref on empty arg [CVE-2016-3119]
Browse files Browse the repository at this point in the history 
In the LDAP KDB module's process_db_args(), strtok_r() may return NULL
if there is an empty string in the db_args array.  Check for this case
and avoid dereferencing a null pointer.

CVE-2016-3119:

In MIT krb5 1.6 and later, an authenticated attacker with permission
to modify a principal entry can cause kadmind to dereference a null
pointer by supplying an empty DB argument to the modify_principal
command, if kadmind is configured to use the LDAP KDB module.

    CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:H/RL:OF/RC:ND

ticket: 8383 (new)
target_version: 1.14-next
target_version: 1.13-next
tags: pullup
  • Loading branch information
@greghudson
greghudson committed Mar 18, 2016
1 parent 89683d1 commit 08c642c
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,7 @@ process_db_args(krb5_context context, char **db_args, xargs_t *xargs,
if (db_args) {
for (i=0; db_args[i]; ++i) {
arg = strtok_r(db_args[i], "=", &arg_val);
arg = (arg != NULL) ? arg : "";
if (strcmp(arg, TKTPOLICY_ARG) == 0) {
dptr = &xargs->tktpolicydn;
} else {
Expand Down

0 comments on commit 08c642c

Please sign in to comment.