Skip to content

Commit f0c094a

Browse files
committed
Fix build_principal memory bug [CVE-2015-2697]
In build_principal_va(), use k5memdup0() instead of strdup() to make a copy of the realm, to ensure that we allocate the correct number of bytes and do not read past the end of the input string. This bug affects krb5_build_principal(), krb5_build_principal_va(), and krb5_build_principal_alloc_va(). krb5_build_principal_ext() is not affected. CVE-2015-2697: In MIT krb5 1.7 and later, an authenticated attacker may be able to cause a KDC to crash using a TGS request with a large realm field beginning with a null byte. If the KDC attempts to find a referral to answer the request, it constructs a principal name for lookup using krb5_build_principal() with the requested realm. Due to a bug in this function, the null byte causes only one byte be allocated for the realm field of the constructed principal, far less than its length. Subsequent operations on the lookup principal may cause a read beyond the end of the mapped memory region, causing the KDC process to crash. CVSSv2: AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C ticket: 8252 (new) target_version: 1.14 tags: pullup
1 parent a705b11 commit f0c094a

File tree

1 file changed

+2
-4
lines changed

1 file changed

+2
-4
lines changed

Diff for: src/lib/krb5/krb/bld_princ.c

+2-4
Original file line numberDiff line numberDiff line change
@@ -40,10 +40,8 @@ build_principal_va(krb5_context context, krb5_principal princ,
4040
data = malloc(size * sizeof(krb5_data));
4141
if (!data) { retval = ENOMEM; }
4242

43-
if (!retval) {
44-
r = strdup(realm);
45-
if (!r) { retval = ENOMEM; }
46-
}
43+
if (!retval)
44+
r = k5memdup0(realm, rlen, &retval);
4745

4846
while (!retval && (component = va_arg(ap, char *))) {
4947
if (count == size) {

0 commit comments

Comments
 (0)