Skip to content

Commit df17a12

Browse files
committed
Verify decoded kadmin C strings [CVE-2015-8629]
In xdr_nullstring(), check that the decoded string is terminated with a zero byte and does not contain any internal zero bytes. CVE-2015-8629: In all versions of MIT krb5, an authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database. CVSSv2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C ticket: 8341 (new) target_version: 1.14-next target_version: 1.13-next tags: pullup
1 parent c546a30 commit df17a12

File tree

1 file changed

+8
-1
lines changed

1 file changed

+8
-1
lines changed

Diff for: src/lib/kadm5/kadm_rpc_xdr.c

+8-1
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,14 @@ bool_t xdr_nullstring(XDR *xdrs, char **objp)
6464
return FALSE;
6565
}
6666
}
67-
return (xdr_opaque(xdrs, *objp, size));
67+
if (!xdr_opaque(xdrs, *objp, size))
68+
return FALSE;
69+
/* Check that the unmarshalled bytes are a C string. */
70+
if ((*objp)[size - 1] != '\0')
71+
return FALSE;
72+
if (memchr(*objp, '\0', size - 1) != NULL)
73+
return FALSE;
74+
return TRUE;
6875

6976
case XDR_ENCODE:
7077
if (size != 0)

0 commit comments

Comments
 (0)