[krbdev.mit.edu #8666] Explicit NULL deref in finish_dispatch()

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8666] Explicit NULL deref in finish_dispatch()

Jeffrey Arbuckle via RT
In dispatch.c, dispatch() allocates a dispatch_state structure called
state, and initializes some fields.  However, unless krb5_is_as_req(pkt)
is true, state->active_realm does not get initialized before the state
object is passed to finish_dispatch_cache.

finish_dispatch_cache() passes through state to finish_dispatch().

finish_dispatch() invokes the kdc_context macro in a call to
krb5_free_data(), which dereferences state->active_realm (for
realm_tgsprinc).

This is an explicit NULL dereference.  Worth noting also is that
make_too_big_error() will attempt to dereference the same value later in
finish_dispatch().

Thanks,
--Robbie

_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs