Any info on CVE-2006-1721 ?
Alexey Melnikov
alexey.melnikov at isode.com
Thu Oct 5 14:54:21 EDT 2006
Kai Blin wrote:
>>My question is, what was the attack and how was it
>>averted by doing this?
>>**********************************************
>>- if (strcmp(realm, text->realm) != 0) {
>>+ if (((realm != NULL) && (strcmp(realm,
>>text->realm) != 0)) &&
>>+ (text->realm[0] != 0)) {
>> SETERROR(sparams->utils,....
>>***********************************************
>>All I know is from
>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721
>>How a "text->realm != 0" and a "realm != NULL", could
>>avert that attack?
>>
>>
>
>The old check causes a segfault if realm was a null pointer on the strcmp()
>check.
>
Yes. This could have heppened if the client was not sending the realm=
option.
>This was fixed with the realm != NULL check.
>
Correct.
>I figure the text->realm[0] != 0 check was just added to avoid a wrong return value on the
>first use of a context. That's a speculation on my part, though.
>
>
I am not sure what was the reason for adding this check, I need to check
the code.
I wasn't the one who added it and the person who did no longer works for
CMU.
More information about the Cyrus-sasl
mailing list