master

分支 (15)

标签 (8)

管理

管理

master

openEuler-22.09

test

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP2

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-21.09

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

samba
/
backport-CVE-2021-3671.patch

From 0cb4b939f192376bf5e33637863a91a20f74c5a5 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Fri, 27 Aug 2021 11:42:48 +1000
Subject: [PATCH] CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ

In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

[abartlet@samba.org backported from from Heimdal
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
to an earlier patch by Joseph Sutton]

RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ

Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source4/heimdal/kdc/krb5tgs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index b76726cdd64..d143eb739eb 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1603,6 +1603,10 @@ tgs_build_reply(krb5_context context,

 	s = &adtkt.cname;
 	r = adtkt.crealm;
+    } else if (s == NULL) {
+	ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+	krb5_set_error_message(context, ret, "No server in request");
+	goto out;
     }

     _krb5_principalname2krb5_principal(context, &sp, *s, r);
--
GitLab