Skip to content

Commit b863de7

Browse files
committed
Check for null kadm5 policy name [CVE-2015-8630]
In kadm5_create_principal_3() and kadm5_modify_principal(), check for entry->policy being null when KADM5_POLICY is included in the mask. CVE-2015-8630: In MIT krb5 1.12 and later, an authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying a null policy value but including KADM5_POLICY in the mask. CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C ticket: 8342 (new) target_version: 1.14-next target_version: 1.13-next tags: pullup
1 parent df17a12 commit b863de7

File tree

1 file changed

+8
-4
lines changed

1 file changed

+8
-4
lines changed

Diff for: src/lib/kadm5/srv/svr_principal.c

+8-4
Original file line numberDiff line numberDiff line change
@@ -395,6 +395,8 @@ kadm5_create_principal_3(void *server_handle,
395395
/*
396396
* Argument sanity checking, and opening up the DB
397397
*/
398+
if (entry == NULL)
399+
return EINVAL;
398400
if(!(mask & KADM5_PRINCIPAL) || (mask & KADM5_MOD_NAME) ||
399401
(mask & KADM5_MOD_TIME) || (mask & KADM5_LAST_PWD_CHANGE) ||
400402
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
@@ -403,12 +405,12 @@ kadm5_create_principal_3(void *server_handle,
403405
return KADM5_BAD_MASK;
404406
if ((mask & KADM5_KEY_DATA) && entry->n_key_data != 0)
405407
return KADM5_BAD_MASK;
408+
if((mask & KADM5_POLICY) && entry->policy == NULL)
409+
return KADM5_BAD_MASK;
406410
if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
407411
return KADM5_BAD_MASK;
408412
if((mask & ~ALL_PRINC_MASK))
409413
return KADM5_BAD_MASK;
410-
if (entry == NULL)
411-
return EINVAL;
412414

413415
/*
414416
* Check to see if the principal exists
@@ -643,6 +645,8 @@ kadm5_modify_principal(void *server_handle,
643645

644646
krb5_clear_error_message(handle->context);
645647

648+
if(entry == NULL)
649+
return EINVAL;
646650
if((mask & KADM5_PRINCIPAL) || (mask & KADM5_LAST_PWD_CHANGE) ||
647651
(mask & KADM5_MOD_TIME) || (mask & KADM5_MOD_NAME) ||
648652
(mask & KADM5_MKVNO) || (mask & KADM5_AUX_ATTRIBUTES) ||
@@ -651,10 +655,10 @@ kadm5_modify_principal(void *server_handle,
651655
return KADM5_BAD_MASK;
652656
if((mask & ~ALL_PRINC_MASK))
653657
return KADM5_BAD_MASK;
658+
if((mask & KADM5_POLICY) && entry->policy == NULL)
659+
return KADM5_BAD_MASK;
654660
if((mask & KADM5_POLICY) && (mask & KADM5_POLICY_CLR))
655661
return KADM5_BAD_MASK;
656-
if(entry == (kadm5_principal_ent_t) NULL)
657-
return EINVAL;
658662
if (mask & KADM5_TL_DATA) {
659663
tl_data_orig = entry->tl_data;
660664
while (tl_data_orig) {

0 commit comments

Comments
 (0)