[19712] in Kerberos_V5_Development
Re: Is the vulnerability CVE-2017-11462 applicable to older MIT
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Jan 17 10:25:08 2018
To: Sergey Emantayev <sergeem@yahoo.com>, "krbdev@mit.edu" <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <5b95d969-4def-6fbb-35eb-01249f93acce@mit.edu>
Date: Wed, 17 Jan 2018 10:24:38 -0500
MIME-Version: 1.0
In-Reply-To: <1180419751.4953783.1516189367693@mail.yahoo.com>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 01/17/2018 06:42 AM, Sergey Emantayev wrote:
> Sorry for the delayed response.
> How can I identify an incorrect usage of gss_init_sec_context
> / gss_accept_sec_context?
Both of these calls accept a pointer to a context handle (gss_ctx_id_t).
Both calls are permitted by RFC 2744 to delete an existing context
handle on error, setting the caller's handle to GSS_C_NO_CONTEXT;
alternatively, implementations may leave the context alone on error and
wait for the caller to delete it.
The danger arises if a caller copies the context handle and passes a
pointer to the copy to gss_init_sec_context() or
gss_accept_sec_context(), then passes a pointer to the original context
handle to gss_delete_sec_context(). If the caller uses the same pointer
to the context handle for all calls relating to a context, it should be
safe. (If it does use copies, it can still be safe if it updates all
copies of the context handle after each call to init/accept_sec_context,
on success or failure.)
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev