Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]

This was introduced by checking the Kerberos 5 checksum as a alternative to the 8003 checksum. Thanks to MIT Kerberos and Shawn Emery for forwarding this issue
2010-05-26 11:53:31 -05:00
parent 7ecd5b5f9d
commit a7e8f05c9b
2 changed files with 7 additions and 5 deletions
--- a/lib/gssapi/krb5/8003.c
+++ b/lib/gssapi/krb5/8003.c
@@ -182,11 +182,6 @@ _gsskrb5_verify_8003_checksum(
    int DlgOpt;
    static unsigned char zeros[16];

-    if (cksum == NULL) {
-	*minor_status = 0;
-	return GSS_S_BAD_BINDINGS;
-    }
-
    /* XXX should handle checksums > 24 bytes */
    if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) {
 	*minor_status = 0;
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -462,6 +462,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
    /*
     * We need to get the flags out of the 8003 checksum.
     */
+
    {
 	krb5_authenticator authenticator;

@@ -474,6 +475,12 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	    return ret;
 	}

+	if (authenticator->cksum == NULL) {
+	    krb5_free_authenticator(context, &authenticator);
+	    *minor_status = 0;
+	    return GSS_S_BAD_BINDINGS;
+	}
+
        if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
            ret = _gsskrb5_verify_8003_checksum(minor_status,
 						input_chan_bindings,