PKINIT (draft9) null ptr deref [CVE-2012-1016]

Don't check for an agility KDF identifier in the non-draft9 reply structure when we're building a draft9 reply, because it'll be NULL. The KDC plugin for PKINIT can dereference a null pointer when handling a draft9 request, leading to a crash of the KDC process. An attacker would need to have a valid PKINIT certificate, or an unauthenticated attacker could execute the attack if anonymous PKINIT is enabled. CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C [tlyu@mit.edu: reformat comment and edit log message] (back ported from commit cd5ff93) ticket: 7527 (new) version_fixed: 1.10.4 status: resolved
krb5 · Jan 2, 2013 · db64ca2 · db64ca2
1 parent d6a6cd0
commit db64ca2
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1016,9 +1016,10 @@ pkinit_server_return_padata(krb5_context context,
          rep9->choice == choice_pa_pk_as_rep_draft9_dhSignedData) ||
         (rep != NULL && rep->choice == choice_pa_pk_as_rep_dhInfo)) {
 
-        /* If mutually supported KDFs were found, use the alg agility KDF */
-        if (rep->u.dh_Info.kdfID) {
-            secret.data = server_key;
+        /* If we're not doing draft 9, and mutually supported KDFs were found,
+         * use the algorithm agility KDF. */
+        if (rep != NULL && rep->u.dh_Info.kdfID) {
+            secret.data = (char *)server_key;
             secret.length = server_key_len;
 
             retval = pkinit_alg_agility_kdf(context, &secret,