oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Check the GSS-API checksum exists before trying to use it [CVE-2010-1321]

Browse Source 
This was introduced by checking the Kerberos 5 checksum as a
alternative to the 8003 checksum.

Thanks to MIT Kerberos and Shawn Emery for forwarding this issue
This commit is contained in:
Love Hornquist Astrand
2010-05-26 11:53:31 -05:00
parent 7ecd5b5f9d
commit a7e8f05c9b
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/gssapi/krb5/8003.c
View File

@@ -182,11 +182,6 @@ _gsskrb5_verify_8003_checksum(
int DlgOpt; int DlgOpt;
static unsigned char zeros[16]; static unsigned char zeros[16];
if (cksum == NULL) {
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
/* XXX should handle checksums > 24 bytes */ /* XXX should handle checksums > 24 bytes */
if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) { if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) {
*minor_status = 0; *minor_status = 0;

7
lib/gssapi/krb5/accept_sec_context.c
View File

@@ -462,6 +462,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
/* /*
* We need to get the flags out of the 8003 checksum. * We need to get the flags out of the 8003 checksum.
*/ */
{ {
krb5_authenticator authenticator; krb5_authenticator authenticator;
@@ -474,6 +475,12 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
return ret; return ret;
} }
if (authenticator->cksum == NULL) {
krb5_free_authenticator(context, &authenticator);
*minor_status = 0;
return GSS_S_BAD_BINDINGS;
}
if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) { if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
ret = _gsskrb5_verify_8003_checksum(minor_status, ret = _gsskrb5_verify_8003_checksum(minor_status,
input_chan_bindings, input_chan_bindings,