Any info on CVE-2006-1721 ?

Alexey Melnikov alexey.melnikov at isode.com
Thu Oct 5 14:54:21 EDT 2006


Kai Blin wrote:

>>My question is, what was the attack and how was it
>>averted by doing this?
>>**********************************************
>>-    if (strcmp(realm, text->realm) != 0) {
>>+    if (((realm != NULL) && (strcmp(realm,
>>text->realm) != 0)) &&
>>+	(text->realm[0] != 0)) {
>> 	SETERROR(sparams->utils,....
>>***********************************************
>>All I know is from
>>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721
>>How a "text->realm != 0" and a "realm != NULL", could
>>avert that attack?
>>    
>>
>
>The old check causes a segfault if realm was a null pointer on the strcmp() 
>check.
>
Yes. This could have heppened if the client was not sending the realm= 
option.

>This was fixed with the realm != NULL check.
>
Correct.

>I figure the text->realm[0] != 0 check was just added to avoid a wrong return value on the 
>first use of a context. That's a speculation on my part, though.
>  
>
I am not sure what was the reason for adding this check, I need to check 
the code.
I wasn't the one who added it and the person who did no longer works for 
CMU.



More information about the Cyrus-sasl mailing list