diff options
author | Isaac Boukris <iboukris@gmail.com> | 2018-08-18 00:40:30 +0300 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2018-11-28 08:22:24 +0100 |
commit | 6c453aeb0c771d14fe501e9a37d9f51b9403872b (patch) | |
tree | b3701ae35e3a740cb2418b0a5217ddb7b72015b2 /source4 | |
parent | bf0e9041becde3ad15e03d820cd2919c708dd9f5 (diff) | |
download | samba-6c453aeb0c771d14fe501e9a37d9f51b9403872b.tar.gz |
CVE-2018-16853: The ticket in check_policy_as can actually be a TGS
This happens when we are called from S4U2Self flow, and in that case
kdcreq->client is NULL. Use the name from client entry instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/kdc/mit-kdb/kdb_samba_policies.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c index de5813bde2f..81ac73582e0 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c @@ -81,6 +81,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, char *netbios_name = NULL; char *realm = NULL; bool password_change = false; + krb5_const_principal client_princ; DATA_BLOB int_data = { NULL, 0 }; krb5_data d; krb5_pa_data **e_data; @@ -90,7 +91,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, return KRB5_KDB_DBNOTINITED; } - if (ks_is_kadmin(context, kdcreq->client)) { + /* Prefer canonicalised name from client entry */ + client_princ = client ? client->princ : kdcreq->client; + + if (client_princ == NULL || ks_is_kadmin(context, client_princ)) { return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; } @@ -111,7 +115,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, goto done; } - code = krb5_unparse_name(context, kdcreq->client, &client_name); + code = krb5_unparse_name(context, client_princ, &client_name); if (code) { goto done; } |