Commit 0cb4b939 authored by Luke Howard's avatar Luke Howard Committed by Andreas Schneider
Browse files

CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ

In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770



[abartlet@samba.org backported from from Heimdal
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
to an earlier patch by Joseph Sutton]

RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ
Reviewed-by: Andreas Schneider's avatarAndreas Schneider <asn@samba.org>
parent 15f9f040
......@@ -1603,6 +1603,10 @@ tgs_build_reply(krb5_context context,
s = &adtkt.cname;
r = adtkt.crealm;
} else if (s == NULL) {
ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
krb5_set_error_message(context, ret, "No server in request");
goto out;
}
_krb5_principalname2krb5_principal(context, &sp, *s, r);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment