From a7e8f05c9ba898fda6a6f90e1923b74129c16db6 Mon Sep 17 00:00:00 2001 From: Love Hornquist Astrand Date: Wed, 26 May 2010 11:53:31 -0500 Subject: [PATCH] Check the GSS-API checksum exists before trying to use it [CVE-2010-1321] This was introduced by checking the Kerberos 5 checksum as a alternative to the 8003 checksum. Thanks to MIT Kerberos and Shawn Emery for forwarding this issue --- lib/gssapi/krb5/8003.c | 5 ----- lib/gssapi/krb5/accept_sec_context.c | 7 +++++++ 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/lib/gssapi/krb5/8003.c b/lib/gssapi/krb5/8003.c index 2c53d6700..65db343ca 100644 --- a/lib/gssapi/krb5/8003.c +++ b/lib/gssapi/krb5/8003.c @@ -182,11 +182,6 @@ _gsskrb5_verify_8003_checksum( int DlgOpt; static unsigned char zeros[16]; - if (cksum == NULL) { - *minor_status = 0; - return GSS_S_BAD_BINDINGS; - } - /* XXX should handle checksums > 24 bytes */ if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) { *minor_status = 0; diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index e3ba189b3..5a9de96cd 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -462,6 +462,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, /* * We need to get the flags out of the 8003 checksum. */ + { krb5_authenticator authenticator; @@ -474,6 +475,12 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, return ret; } + if (authenticator->cksum == NULL) { + krb5_free_authenticator(context, &authenticator); + *minor_status = 0; + return GSS_S_BAD_BINDINGS; + } + if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { ret = _gsskrb5_verify_8003_checksum(minor_status, input_chan_bindings,