[krbdev.mit.edu #8666] git commit

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[krbdev.mit.edu #8666] git commit

Jeffrey Arbuckle via RT

Fix KDC null dereference on large TGS replies

For TGS requests, dispatch() doesn't set state->active_realm, which
leads to a NULL dereference in finish_dispatch() if the reply is too
big for UDP.  Prior to commit 0a2f14f752c32a24200363cc6b6ae64a92f81379
the active realm was a global and was set when process_tgs_req()
called setup_server_realm().

Move TGS decoding out of process_tgs_req() so that we can set
state->active_realm before any errors requiring response.  Add a test

[[hidden email]: edited commit message; added test case; reduced code
duplication; removed server handle from process_tgs_req() parameters]

(cherry picked from commit 6afa8b4abf8f7c5774d03e6b15ee7288ad68d725)

Author: Robbie Harwood <[hidden email]>
Committer: Greg Hudson <[hidden email]>
Commit: 086b505b7248ec78502857d6dac72a57c59b36e8
Branch: krb5-1.16
 src/kdc/Makefile.in   |    1 +
 src/kdc/dispatch.c    |   48 +++++++++++++++++++++++++++---------------------
 src/kdc/do_tgs_req.c  |   24 ++++++------------------
 src/kdc/kdc_util.h    |    5 ++---
 src/kdc/t_bigreply.py |   19 +++++++++++++++++++
 5 files changed, 55 insertions(+), 42 deletions(-)

krb5-bugs mailing list
[hidden email]