[Bug 267912] kadmind dereferences NULL if client sends mangled realm message

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 267912] kadmind dereferences NULL if client sends mangled realm message"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 22 Nov 2022 17:54:12 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267912

--- Comment #1 from Robert Morris <rtm@lcs.mit.edu> ---
Further, _kadm5_unmarshal_params() lets the client set any bits in
params->mask, but only tries to read params->realm, leaving the other
params-> fields unset despite bits set by the client. One consequence
is that the client can cause _kadm5_s_init_context() to crash in some
of these lines:

    if(is_set(DBNAME))
        (*ctx)->config.dbname = strdup(params->dbname);
    if(is_set(ACL_FILE))
        (*ctx)->config.acl_file = strdup(params->acl_file);
    if(is_set(STASH_FILE))
        (*ctx)->config.stash_file = strdup(params->stash_file);

-- 
You are receiving this mail because:
You are the assignee for the bug.