Skip to content

Commit 5bb8a6b

Browse files
committed
Fix gssrpc data leakage [CVE-2014-9423]
[MITKRB5-SA-2015-001] In svcauth_gss_accept_sec_context(), do not copy bytes from the union context into the handle field we send to the client. We do not use this handle field, so just supply a fixed string of "xxxx". In gss_union_ctx_id_struct, remove the unused "interposer" field which was causing part of the union context to remain uninitialized. ticket: 8058 (new) target_version: 1.13.1 tags: pullup
1 parent 6609658 commit 5bb8a6b

File tree

2 files changed

+2
-24
lines changed

2 files changed

+2
-24
lines changed

Diff for: src/lib/gssapi/mechglue/mglueP.h

-1
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,6 @@ do { \
2525
*/
2626
typedef struct gss_union_ctx_id_struct {
2727
struct gss_union_ctx_id_struct *loopback;
28-
struct gss_union_ctx_id_struct *interposer;
2928
gss_OID mech_type;
3029
gss_ctx_id_t internal_ctx_id;
3130
} gss_union_ctx_id_desc, *gss_union_ctx_id_t;

Diff for: src/lib/rpc/svc_auth_gss.c

+2-23
Original file line numberDiff line numberDiff line change
@@ -65,16 +65,6 @@ extern const gss_OID_desc * const gss_mech_spkm3;
6565

6666
extern SVCAUTH svc_auth_none;
6767

68-
/*
69-
* from mit-krb5-1.2.1 mechglue/mglueP.h:
70-
* Array of context IDs typed by mechanism OID
71-
*/
72-
typedef struct gss_union_ctx_id_t {
73-
gss_OID mech_type;
74-
gss_ctx_id_t internal_ctx_id;
75-
} gss_union_ctx_id_desc, *gss_union_ctx_id_t;
76-
77-
7868
static auth_gssapi_log_badauth_func log_badauth = NULL;
7969
static caddr_t log_badauth_data = NULL;
8070
static auth_gssapi_log_badauth2_func log_badauth2 = NULL;
@@ -239,16 +229,8 @@ svcauth_gss_accept_sec_context(struct svc_req *rqst,
239229
gd->ctx = GSS_C_NO_CONTEXT;
240230
goto errout;
241231
}
242-
/*
243-
* ANDROS: krb5 mechglue returns ctx of size 8 - two pointers,
244-
* one to the mechanism oid, one to the internal_ctx_id
245-
*/
246-
if ((gr->gr_ctx.value = mem_alloc(sizeof(gss_union_ctx_id_desc))) == NULL) {
247-
fprintf(stderr, "svcauth_gss_accept_context: out of memory\n");
248-
goto errout;
249-
}
250-
memcpy(gr->gr_ctx.value, gd->ctx, sizeof(gss_union_ctx_id_desc));
251-
gr->gr_ctx.length = sizeof(gss_union_ctx_id_desc);
232+
gr->gr_ctx.value = "xxxx";
233+
gr->gr_ctx.length = 4;
252234

253235
/* gr->gr_win = 0x00000005; ANDROS: for debugging linux kernel version... */
254236
gr->gr_win = sizeof(gd->seqmask) * 8;
@@ -520,8 +502,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg,
520502

521503
if (!svcauth_gss_nextverf(rqst, htonl(gr.gr_win))) {
522504
gss_release_buffer(&min_stat, &gr.gr_token);
523-
mem_free(gr.gr_ctx.value,
524-
sizeof(gss_union_ctx_id_desc));
525505
ret_freegc (AUTH_FAILED);
526506
}
527507
*no_dispatch = TRUE;
@@ -531,7 +511,6 @@ gssrpc__svcauth_gss(struct svc_req *rqst, struct rpc_msg *msg,
531511

532512
gss_release_buffer(&min_stat, &gr.gr_token);
533513
gss_release_buffer(&min_stat, &gd->checksum);
534-
mem_free(gr.gr_ctx.value, sizeof(gss_union_ctx_id_desc));
535514
if (!call_stat)
536515
ret_freegc (AUTH_FAILED);
537516

0 commit comments

Comments
 (0)