68 lines
2.2 KiB
Diff
68 lines
2.2 KiB
Diff
From c93242bd934a1e4b6f21aae08fbbbd1984d1c653 Mon Sep 17 00:00:00 2001
|
|
From: Greg Hudson <ghudson@mit.edu>
|
|
Date: Wed, 21 Jun 2023 10:57:39 -0400
|
|
Subject: [PATCH] Ensure array count consistency in kadm5 RPC
|
|
|
|
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
|
|
key_data array count when decoding. Otherwise when the structure is
|
|
later freed, xdr_array() could iterate over the wrong number of
|
|
elements, either leaking some memory or freeing uninitialized
|
|
pointers. Reported by Robert Morris.
|
|
|
|
CVE-2023-36054:
|
|
|
|
An authenticated attacker can cause a kadmind process to crash by
|
|
freeing uninitialized pointers. Remote code execution is unlikely.
|
|
An attacker with control of a kadmin server can cause a kadmin client
|
|
to crash by freeing uninitialized pointers.
|
|
|
|
(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
|
|
|
|
ticket: 9099
|
|
version_fixed: 1.20.2
|
|
|
|
(cherry picked from commit c81ffb6c8578a9b55c9d0a10342b5bc1bc6ec4df)
|
|
---
|
|
src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
|
|
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
|
|
index 0411c3fd3..287cae750 100644
|
|
--- a/src/lib/kadm5/kadm_rpc_xdr.c
|
|
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
|
|
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
|
int v)
|
|
{
|
|
unsigned int n;
|
|
+ bool_t r;
|
|
|
|
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
|
|
return (FALSE);
|
|
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
|
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
|
|
return (FALSE);
|
|
}
|
|
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
|
|
+ return (FALSE);
|
|
+ }
|
|
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
|
|
return (FALSE);
|
|
}
|
|
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
|
return FALSE;
|
|
}
|
|
n = objp->n_key_data;
|
|
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
|
|
- &n, ~0, sizeof(krb5_key_data),
|
|
- xdr_krb5_key_data_nocontents)) {
|
|
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
|
|
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
|
|
+ objp->n_key_data = n;
|
|
+ if (!r) {
|
|
return (FALSE);
|
|
}
|
|
|
|
--
|
|
2.41.0
|
|
|