Browse files

PKINIT null pointer deref [CVE-2013-1415]

Don't dereference a null pointer when cleaning up.

The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process.  An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.

CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C

This is a minimal commit for pullup; style fixes in a followup.
[ reformat and edit commit message]

(cherry picked from commit c773d3c)

ticket: 7570
version_fixed: 1.11.1
status: resolved
  • Loading branch information...
1 parent 0dbdec4 commit f249555301940c6df3a2cdda13b56b5674eebc2e @xiw xiw committed with tlyu Feb 14, 2013
Showing with 1 addition and 2 deletions.
  1. +1 −2 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
3 src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -3253,7 +3253,7 @@ pkinit_check_kdc_pkid(krb5_context context,
pkiDebug("found kdcPkId in AS REQ\n");
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
if (is == NULL)
- goto cleanup;
+ return retval;
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
if (!status) {
@@ -3263,7 +3263,6 @@ pkinit_check_kdc_pkid(krb5_context context,
retval = 0;

0 comments on commit f249555

Please sign in to comment.