Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 1 Dec 2022 14:26:04 GMT
From:      Cy Schubert <cy@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 709a426717c9 - stable/12 - heimdal: Fix NULL dereference when mangled realm message
Message-ID:  <202212011426.2B1EQ4gd079604@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The branch stable/12 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=709a426717c9d8e9eedf92a07f5410f6c05409ac

commit 709a426717c9d8e9eedf92a07f5410f6c05409ac
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-11-24 14:22:13 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-12-01 14:25:52 +0000

    heimdal: Fix NULL dereference when mangled realm message
    
    Fix a NULL dereference in _kadm5_s_init_context() when the client
    sends a mangled realm message.
    
    PR:             267912
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    
    (cherry picked from commit 05bc50bdb1c1ddbbeb853ea4b184aced0eca9b3f)
---
 crypto/heimdal/kadmin/server.c      | 4 +++-
 crypto/heimdal/lib/kadm5/marshall.c | 6 +++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/crypto/heimdal/kadmin/server.c b/crypto/heimdal/kadmin/server.c
index 256c2bac89b7..2800a2e1fc29 100644
--- a/crypto/heimdal/kadmin/server.c
+++ b/crypto/heimdal/kadmin/server.c
@@ -516,7 +516,9 @@ handle_v5(krb5_context contextp,
 	ret = krb5_read_priv_message(contextp, ac, &fd, &params);
 	if(ret)
 	    krb5_err(contextp, 1, ret, "krb5_read_priv_message");
-	_kadm5_unmarshal_params(contextp, &params, &realm_params);
+	ret = _kadm5_unmarshal_params(contextp, &params, &realm_params);
+	if(ret)
+	    krb5_err(contextp, 1, ret, "Could not read or parse kadm5 parameters");
     }
 
     initial = ticket->ticket.flags.initial;
diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c
index 65804afbf92b..38b9855021b2 100644
--- a/crypto/heimdal/lib/kadm5/marshall.c
+++ b/crypto/heimdal/lib/kadm5/marshall.c
@@ -335,8 +335,12 @@ _kadm5_unmarshal_params(krb5_context context,
 	goto out;
     params->mask = mask;
 
-    if(params->mask & KADM5_CONFIG_REALM)
+    if (params->mask & KADM5_CONFIG_REALM) {
 	ret = krb5_ret_string(sp, &params->realm);
+	if (params->realm == NULL) {
+	    ret = EINVAL;
+	}
+    }
  out:
     krb5_storage_free(sp);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202212011426.2B1EQ4gd079604>