Double-free in Samba AD DC KDC with PKINIT

ID SAMBA:CVE-2018-16841
Type samba
Reporter Samba
Modified 2018-11-27T00:00:00


When configured to accept smart-card authentication, Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process. There is no further vulnerability associated with this issue, merely a denial of service.