40 lines
1.2 KiB
Diff
40 lines
1.2 KiB
Diff
From 0cb4b939f192376bf5e33637863a91a20f74c5a5 Mon Sep 17 00:00:00 2001
|
|
From: Luke Howard <lukeh@padl.com>
|
|
Date: Fri, 27 Aug 2021 11:42:48 +1000
|
|
Subject: [PATCH] CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
|
|
|
|
In tgs_build_reply(), validate the server name in the TGS-REQ is present before
|
|
dereferencing.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
|
|
|
|
[abartlet@samba.org backported from from Heimdal
|
|
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
|
|
to an earlier patch by Joseph Sutton]
|
|
|
|
RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ
|
|
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
source4/heimdal/kdc/krb5tgs.c | 4 ++++
|
|
1 file changed, 4 insertions(+)
|
|
|
|
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
|
|
index b76726cdd64..d143eb739eb 100644
|
|
--- a/source4/heimdal/kdc/krb5tgs.c
|
|
+++ b/source4/heimdal/kdc/krb5tgs.c
|
|
@@ -1603,6 +1603,10 @@ tgs_build_reply(krb5_context context,
|
|
|
|
s = &adtkt.cname;
|
|
r = adtkt.crealm;
|
|
+ } else if (s == NULL) {
|
|
+ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
|
|
+ krb5_set_error_message(context, ret, "No server in request");
|
|
+ goto out;
|
|
}
|
|
|
|
_krb5_principalname2krb5_principal(context, &sp, *s, r);
|
|
--
|
|
GitLab
|
|
|