|
0 |
From: Greg Hudson <ghudson@mit.edu>
|
|
1 |
Date: Wed, 21 Jun 2023 10:57:39 -0400
|
|
2 |
Subject: Ensure array count consistency in kadm5 RPC
|
|
3 |
|
|
4 |
In _xdr_kadm5_principal_ent_rec(), ensure that n_key_data matches the
|
|
5 |
key_data array count when decoding. Otherwise when the structure is
|
|
6 |
later freed, xdr_array() could iterate over the wrong number of
|
|
7 |
elements, either leaking some memory or freeing uninitialized
|
|
8 |
pointers. Reported by Robert Morris.
|
|
9 |
|
|
10 |
CVE-2023-36054:
|
|
11 |
|
|
12 |
An authenticated attacker can cause a kadmind process to crash by
|
|
13 |
freeing uninitialized pointers. Remote code execution is unlikely.
|
|
14 |
An attacker with control of a kadmin server can cause a kadmin client
|
|
15 |
to crash by freeing uninitialized pointers.
|
|
16 |
|
|
17 |
ticket: 9099 (new)
|
|
18 |
tags: pullup
|
|
19 |
target_version: 1.21-next
|
|
20 |
target_version: 1.20-next
|
|
21 |
|
|
22 |
(cherry picked from commit ef08b09c9459551aabbe7924fb176f1583053cdd)
|
|
23 |
---
|
|
24 |
src/lib/kadm5/kadm_rpc_xdr.c | 11 ++++++++---
|
|
25 |
1 file changed, 8 insertions(+), 3 deletions(-)
|
|
26 |
|
|
27 |
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
|
|
28 |
index 0411c3f..287cae7 100644
|
|
29 |
--- a/src/lib/kadm5/kadm_rpc_xdr.c
|
|
30 |
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
|
|
31 |
@@ -390,6 +390,7 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
|
32 |
int v)
|
|
33 |
{
|
|
34 |
unsigned int n;
|
|
35 |
+ bool_t r;
|
|
36 |
|
|
37 |
if (!xdr_krb5_principal(xdrs, &objp->principal)) {
|
|
38 |
return (FALSE);
|
|
39 |
@@ -443,6 +444,9 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
|
40 |
if (!xdr_krb5_int16(xdrs, &objp->n_key_data)) {
|
|
41 |
return (FALSE);
|
|
42 |
}
|
|
43 |
+ if (xdrs->x_op == XDR_DECODE && objp->n_key_data < 0) {
|
|
44 |
+ return (FALSE);
|
|
45 |
+ }
|
|
46 |
if (!xdr_krb5_int16(xdrs, &objp->n_tl_data)) {
|
|
47 |
return (FALSE);
|
|
48 |
}
|
|
49 |
@@ -451,9 +455,10 @@ _xdr_kadm5_principal_ent_rec(XDR *xdrs, kadm5_principal_ent_rec *objp,
|
|
50 |
return FALSE;
|
|
51 |
}
|
|
52 |
n = objp->n_key_data;
|
|
53 |
- if (!xdr_array(xdrs, (caddr_t *) &objp->key_data,
|
|
54 |
- &n, ~0, sizeof(krb5_key_data),
|
|
55 |
- xdr_krb5_key_data_nocontents)) {
|
|
56 |
+ r = xdr_array(xdrs, (caddr_t *) &objp->key_data, &n, objp->n_key_data,
|
|
57 |
+ sizeof(krb5_key_data), xdr_krb5_key_data_nocontents);
|
|
58 |
+ objp->n_key_data = n;
|
|
59 |
+ if (!r) {
|
|
60 |
return (FALSE);
|
|
61 |
}
|
|
62 |
|