Skip to content

Commit 524688c

Browse files
committed
Fix null deref in SPNEGO acceptor [CVE-2014-4344]
When processing a continuation token, acc_ctx_cont was dereferencing the initial byte of the token without checking the length. This could result in a null dereference. CVE-2014-4344: In MIT krb5 1.5 and newer, an unauthenticated or partially authenticated remote attacker can cause a NULL dereference and application crash during a SPNEGO negotiation by sending an empty token as the second or later context token from initiator to acceptor. The attacker must provide at least one valid context token in the security context negotiation before sending the empty token. This can be done by an unauthenticated attacker by forcing SPNEGO to renegotiate the underlying mechanism, or by using IAKERB to wrap an unauthenticated AS-REQ as the first token. CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C [kaduk@mit.edu: CVE summary, CVSSv2 vector] ticket: 7970 (new) subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344] target_version: 1.12.2 tags: pullup
1 parent f18ddf5 commit 524688c

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

Diff for: src/lib/gssapi/spnego/spnego_mech.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -1468,7 +1468,7 @@ acc_ctx_cont(OM_uint32 *minstat,
14681468

14691469
ptr = bufstart = buf->value;
14701470
#define REMAIN (buf->length - (ptr - bufstart))
1471-
if (REMAIN > INT_MAX)
1471+
if (REMAIN == 0 || REMAIN > INT_MAX)
14721472
return GSS_S_DEFECTIVE_TOKEN;
14731473

14741474
/*

0 commit comments

Comments
 (0)