Skip to content

Commit f249555

Browse files
xiwtlyu
authored andcommitted
PKINIT null pointer deref [CVE-2013-1415]
Don't dereference a null pointer when cleaning up. The KDC plugin for PKINIT can dereference a null pointer when a malformed packet causes processing to terminate early, leading to a crash of the KDC process. An attacker would need to have a valid PKINIT certificate or have observed a successful PKINIT authentication, or an unauthenticated attacker could execute the attack if anonymous PKINIT is enabled. CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C This is a minimal commit for pullup; style fixes in a followup. [kaduk@mit.edu: reformat and edit commit message] (cherry picked from commit c773d3c) ticket: 7570 version_fixed: 1.11.1 status: resolved
1 parent 0dbdec4 commit f249555

File tree

1 file changed

+1
-2
lines changed

1 file changed

+1
-2
lines changed

Diff for: src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

+1-2
Original file line numberDiff line numberDiff line change
@@ -3253,7 +3253,7 @@ pkinit_check_kdc_pkid(krb5_context context,
32533253
pkiDebug("found kdcPkId in AS REQ\n");
32543254
is = d2i_PKCS7_ISSUER_AND_SERIAL(NULL, &p, (int)pkid_len);
32553255
if (is == NULL)
3256-
goto cleanup;
3256+
return retval;
32573257

32583258
status = X509_NAME_cmp(X509_get_issuer_name(kdc_cert), is->issuer);
32593259
if (!status) {
@@ -3263,7 +3263,6 @@ pkinit_check_kdc_pkid(krb5_context context,
32633263
}
32643264

32653265
retval = 0;
3266-
cleanup:
32673266
X509_NAME_free(is->issuer);
32683267
ASN1_INTEGER_free(is->serial);
32693268
free(is);

0 commit comments

Comments
 (0)