oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

CVE-2019-14870: Validate client attributes in protocol-transition

Browse Source 
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
This commit is contained in:
Isaac Boukris
2019-11-07 00:05:05 +01:00
committed by Jeffrey Altman
parent 013210d1eb
commit 77b480d2a0
2 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
kdc/krb5tgs.c
View File

@@ -2035,6 +2035,7 @@ server_lookup:
sdata = _kdc_find_padata(req, &i, KRB5_PADATA_FOR_USER);
if (sdata) {
struct astgs_request_desc imp_req;
krb5_crypto crypto;
krb5_data datack;
PA_S4U2Self self;
@@ -2142,6 +2143,20 @@ server_lookup:
goto out;
}
/* Ignore require_pwchange and pw_end attributes (as Windows does),
* since S4U2Self is not password authentication. */
s4u2self_impersonated_client->entry.flags.require_pwchange = FALSE;
free(s4u2self_impersonated_client->entry.pw_end);
s4u2self_impersonated_client->entry.pw_end = NULL;
imp_req = *priv;
imp_req.client = s4u2self_impersonated_client;
imp_req.client_princ = tp;
ret = kdc_check_flags(&imp_req, FALSE);
if (ret)
goto out;
/* If we were about to put a PAC into the ticket, we better fix it to be the right PAC */
if(rspac.data) {
krb5_pac p = NULL;