git: 709a426717c9 - stable/12 - heimdal: Fix NULL dereference when mangled realm message

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Thu, 01 Dec 2022 14:26:04 UTC
The branch stable/12 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=709a426717c9d8e9eedf92a07f5410f6c05409ac

commit 709a426717c9d8e9eedf92a07f5410f6c05409ac
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-11-24 14:22:13 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-12-01 14:25:52 +0000

    heimdal: Fix NULL dereference when mangled realm message
    
    Fix a NULL dereference in _kadm5_s_init_context() when the client
    sends a mangled realm message.
    
    PR:             267912
    Reported by:    Robert Morris <rtm@lcs.mit.edu>
    
    (cherry picked from commit 05bc50bdb1c1ddbbeb853ea4b184aced0eca9b3f)
---
 crypto/heimdal/kadmin/server.c      | 4 +++-
 crypto/heimdal/lib/kadm5/marshall.c | 6 +++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/crypto/heimdal/kadmin/server.c b/crypto/heimdal/kadmin/server.c
index 256c2bac89b7..2800a2e1fc29 100644
--- a/crypto/heimdal/kadmin/server.c
+++ b/crypto/heimdal/kadmin/server.c
@@ -516,7 +516,9 @@ handle_v5(krb5_context contextp,
 	ret = krb5_read_priv_message(contextp, ac, &fd, &params);
 	if(ret)
 	    krb5_err(contextp, 1, ret, "krb5_read_priv_message");
-	_kadm5_unmarshal_params(contextp, &params, &realm_params);
+	ret = _kadm5_unmarshal_params(contextp, &params, &realm_params);
+	if(ret)
+	    krb5_err(contextp, 1, ret, "Could not read or parse kadm5 parameters");
     }
 
     initial = ticket->ticket.flags.initial;
diff --git a/crypto/heimdal/lib/kadm5/marshall.c b/crypto/heimdal/lib/kadm5/marshall.c
index 65804afbf92b..38b9855021b2 100644
--- a/crypto/heimdal/lib/kadm5/marshall.c
+++ b/crypto/heimdal/lib/kadm5/marshall.c
@@ -335,8 +335,12 @@ _kadm5_unmarshal_params(krb5_context context,
 	goto out;
     params->mask = mask;
 
-    if(params->mask & KADM5_CONFIG_REALM)
+    if (params->mask & KADM5_CONFIG_REALM) {
 	ret = krb5_ret_string(sp, &params->realm);
+	if (params->realm == NULL) {
+	    ret = EINVAL;
+	}
+    }
  out:
     krb5_storage_free(sp);