diff options
author | Greg Hudson <ghudson@mit.edu> | 2013-12-06 18:56:56 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2013-12-06 21:06:26 -0500 |
commit | 13fd26e1863c79f616653f6a10a58c01f65fceff (patch) | |
tree | 86ef3d5f18c8cb6fc28091daca0d5923d8cd2020 /src | |
parent | 55c3a5f69919c2b5435bac0cb48ab09b11be869c (diff) | |
download | krb5-13fd26e1863c79f616653f6a10a58c01f65fceff.tar.gz krb5-13fd26e1863c79f616653f6a10a58c01f65fceff.tar.xz krb5-13fd26e1863c79f616653f6a10a58c01f65fceff.zip |
Avoid malloc(0) in SPNEGO get_input_token
If we read a zero-length token in spnego_mech.c's get_input_token(),
set the value pointer to NULL instead of calling malloc(0).
ticket: 7794 (new)
Diffstat (limited to 'src')
-rw-r--r-- | src/lib/gssapi/spnego/spnego_mech.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 24c344066d..393766274b 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -3140,14 +3140,17 @@ get_input_token(unsigned char **buff_in, unsigned int buff_length) return (NULL); input_token->length = len; - input_token->value = gssalloc_malloc(input_token->length); + if (input_token->length > 0) { + input_token->value = gssalloc_malloc(input_token->length); + if (input_token->value == NULL) { + free(input_token); + return (NULL); + } - if (input_token->value == NULL) { - free(input_token); - return (NULL); + memcpy(input_token->value, *buff_in, input_token->length); + } else { + input_token->value = NULL; } - - (void) memcpy(input_token->value, *buff_in, input_token->length); *buff_in += input_token->length; return (input_token); } |