Skip to content

Commit db64ca2

Browse files
nalindtlyu
authored andcommitted
PKINIT (draft9) null ptr deref [CVE-2012-1016]
Don't check for an agility KDF identifier in the non-draft9 reply structure when we're building a draft9 reply, because it'll be NULL. The KDC plugin for PKINIT can dereference a null pointer when handling a draft9 request, leading to a crash of the KDC process. An attacker would need to have a valid PKINIT certificate, or an unauthenticated attacker could execute the attack if anonymous PKINIT is enabled. CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C [tlyu@mit.edu: reformat comment and edit log message] (back ported from commit cd5ff93) ticket: 7527 (new) version_fixed: 1.10.4 status: resolved
1 parent d6a6cd0 commit db64ca2

File tree

1 file changed

+4
-3
lines changed

1 file changed

+4
-3
lines changed

Diff for: src/plugins/preauth/pkinit/pkinit_srv.c

+4-3
Original file line numberDiff line numberDiff line change
@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context context,
10161016
rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
10171017
(rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
10181018

1019-
/* If mutually supported KDFs were found, use the alg agility KDF */
1020-
if (rep->u.dh_Info.kdfID) {
1021-
secret.data = server_key;
1019+
/* If we're not doing draft 9, and mutually supported KDFs were found,
1020+
* use the algorithm agility KDF. */
1021+
if (rep != NULL && rep->u.dh_Info.kdfID) {
1022+
secret.data = (char *)server_key;
10221023
secret.length = server_key_len;
10231024

10241025
retval = pkinit_alg_agility_kdf(context, &secret,

0 commit comments

Comments
 (0)