Skip to content
This repository
Browse code

Null pointer deref in kadmind [CVE-2012-1013]

The fix for #6626 could cause kadmind to dereference a null pointer if
a create-principal request contains no password but does contain the
KRB5_KDB_DISALLOW_ALL_TIX flag (e.g. "addprinc -randkey -allow_tix
name").  Only clients authorized to create principals can trigger the
bug.  Fix the bug by testing for a null password in check_1_6_dummy.

CVSSv2 vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:H/RL:O/RC:C

[ghudson@mit.edu: Minor style change and commit message]

ticket: 7152
target_version: 1.10.2
tags: pullup
  • Loading branch information...
commit c5be6209311d4a8f10fda37d0d3f876c1b33b77b 1 parent eebe17c
authored May 29, 2012 greghudson committed May 29, 2012

Showing 1 changed file with 1 addition and 1 deletion. Show diff stats Hide diff stats

  1. 2  src/lib/kadm5/srv/svr_principal.c
2  src/lib/kadm5/srv/svr_principal.c
@@ -186,7 +186,7 @@ check_1_6_dummy(kadm5_principal_ent_t entry, long mask,
186 186
     char *password = *passptr;
187 187
 
188 188
     /* Old-style randkey operations disallowed tickets to start. */
189  
-    if (!(mask & KADM5_ATTRIBUTES) ||
  189
+    if (password == NULL || !(mask & KADM5_ATTRIBUTES) ||
190 190
         !(entry->attributes & KRB5_KDB_DISALLOW_ALL_TIX))
191 191
         return;
192 192
 

0 notes on commit c5be620

Please sign in to comment.
Something went wrong with that request. Please try again.