Kai Blin wrote:
My question is, what was the attack and how was it
averted by doing this?
**********************************************
- if (strcmp(realm, text->realm) != 0) {
+ if (((realm != NULL) && (strcmp(realm,
text->realm) != 0)) &&
+ (text->realm[0] != 0)) {
SETERROR(sparams->utils,....
***********************************************
All I know is from
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721
How a "text->realm != 0" and a "realm != NULL", could
avert that attack?
The old check causes a segfault if realm was a null pointer on the strcmp()
check.
Yes. This could have heppened if the client was not sending the realm=
option.
This was fixed with the realm != NULL check.
Correct.
I figure the text->realm[0] != 0 check was just added to avoid a wrong return value on the
first use of a context. That's a speculation on my part, though.
I am not sure what was the reason for adding this check, I need to check
the code.
I wasn't the one who added it and the person who did no longer works for
CMU.
