From b16f93240ea8d0e82f308d62034c979a0936d1f6 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 20 Dec 2021 15:10:46 +1300
Subject: [PATCH] kdc: Fix NULL pointer dereference on failure to verify armor
 ticket PAC

r->client_princ and r->server_princ are only set in the AS-REQ case, but
we perform the PAC check in the TGS-REQ case, so calling
krb5_unparse_name() will dereference a NULL pointer. Instead, use
r->cname and r->sname.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
 kdc/fast.c | 11 +----------
 1 file changed, 1 insertion(+), 10 deletions(-)

diff --git a/kdc/fast.c b/kdc/fast.c
index 69b74a71a..e1e964d9f 100644
--- a/kdc/fast.c
+++ b/kdc/fast.c
@@ -851,21 +851,12 @@ _kdc_fast_check_armor_pac(astgs_request_t r)
 			 &r->armor_ticket->ticket, &ad_kdc_issued, &mspac);
     if (ret) {
 	const char *msg = krb5_get_error_message(r->context, ret);
-	char *client_princ_name = NULL;
-	char *server_princ_name = NULL;
-
-	krb5_unparse_name(r->context, r->client_princ, &client_princ_name);
-	krb5_unparse_name(r->context, r->server_princ, &server_princ_name);
 
 	kdc_log(r->context, r->config, 4,
 		"Verify armor PAC (%s) failed for %s (%s) from %s with %s (%s)",
-		armor_client_principal_name,
-		server_princ_name ? server_princ_name : "<unknown>",
-		client_princ_name ? client_princ_name : "<unknown>",
+		armor_client_principal_name, r->cname, r->sname,
 		r->from, msg, mspac ? "Ticket unsigned" : "No PAC");
 
-	krb5_xfree(server_princ_name);
-	krb5_xfree(client_princ_name);
 	krb5_free_error_message(r->context, msg);
 
 	if (ad_kdc_issued == FALSE || mspac == NULL)