Skip to content

Commit

Permalink
Fix null deref in SPNEGO acceptor [CVE-2014-4344]
Browse files Browse the repository at this point in the history 
When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length.  This could
result in a null dereference.

CVE-2014-4344:

In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token.  This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.

    CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C

[kaduk@mit.edu: CVE summary, CVSSv2 vector]

(cherry picked from commit 524688c)

ticket: 8114 (new)
subject: NULL dereference in SPNEGO acceptor for continuation tokens [CVE-2014-4344]
version_fixed: 1.11.6
status: resolved
  • Loading branch information
@greghudson @tlyu
greghudson authored and tlyu committed Feb 6, 2015
1 parent 32f6c3f commit 90df9bc
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/lib/gssapi/spnego/spnego_mech.c
View file
Expand Up @@ -1437,7 +1437,7 @@ acc_ctx_cont(OM_uint32 *minstat,

ptr = bufstart = buf->value;
#define REMAIN (buf->length - (ptr - bufstart))
if (REMAIN > INT_MAX)
if (REMAIN == 0 || REMAIN > INT_MAX)
return GSS_S_DEFECTIVE_TOKEN;

/*
Expand Down

0 comments on commit 90df9bc

Please sign in to comment.