heimdal: Fix NULL dereference when mangled realm message

Fix a NULL dereference in _kadm5_s_init_context() when the client sends a mangled realm message. PR: 267912 Reported by: Robert Morris <rtm@lcs.mit.edu> MFC after: 3 days
2022-11-24 06:22:13 -08:00 · 2022-11-24 06:22:13 -08:00 · 05bc50bdb1
commit 05bc50bdb1
parent d7e8666ffb
2 changed files with 8 additions and 2 deletions
--- a/crypto/heimdal/kadmin/server.c
+++ b/crypto/heimdal/kadmin/server.c
@ -516,7 +516,9 @@ handle_v5(krb5_context contextp,
 	ret = krb5_read_priv_message(contextp, ac, &fd, &params);
 	if(ret)
 	    krb5_err(contextp, 1, ret, "krb5_read_priv_message");
-	_kadm5_unmarshal_params(contextp, &params, &realm_params);
+	ret = _kadm5_unmarshal_params(contextp, &params, &realm_params);
+	if(ret)
+	    krb5_err(contextp, 1, ret, "Could not read or parse kadm5 parameters");
    }

    initial = ticket->ticket.flags.initial;
--- a/crypto/heimdal/lib/kadm5/marshall.c
+++ b/crypto/heimdal/lib/kadm5/marshall.c
@ -335,8 +335,12 @@ _kadm5_unmarshal_params(krb5_context context,
 	goto out;
    params->mask = mask;

-    if(params->mask & KADM5_CONFIG_REALM)
+    if (params->mask & KADM5_CONFIG_REALM) {
 	ret = krb5_ret_string(sp, &params->realm);
+	if (params->realm == NULL) {
+	    ret = EINVAL;
+	}
+    }
 out:
    krb5_storage_free(sp);