diff options
author | Simo Sorce <simo@redhat.com> | 2014-01-26 13:49:04 -0500 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2014-01-26 15:52:37 -0500 |
commit | ecaf387c9c2d1b19259d197bf18c6127896ab03f (patch) | |
tree | 5d3456f6d2ec2b8617a414e4d4e8bbde97201a9c | |
parent | 37c43d36f928bea360cddbff5d330d0b56bc11b2 (diff) | |
download | gss-ntlmssp-ecaf387c9c2d1b19259d197bf18c6127896ab03f.tar.gz gss-ntlmssp-ecaf387c9c2d1b19259d197bf18c6127896ab03f.tar.xz gss-ntlmssp-ecaf387c9c2d1b19259d197bf18c6127896ab03f.zip |
Fix segfault in init context.
The init context function was improperly initializing the ctx variable (too
late) when some early error conditions can happen. Therefore passing to the
delete context function a random memory address it would then try to free.
This wuld cause a SEGFAULT in most cases.
Additionally unfortunately iconv_close() does not follow good practices and
blindignly dereferences data, even if the passed in pointer is NULL.
So add a check before calling.
-rw-r--r-- | src/gss_sec_ctx.c | 4 | ||||
-rw-r--r-- | src/ntlm.c | 13 |
2 files changed, 11 insertions, 6 deletions
diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c index df25daa..d55e9c6 100644 --- a/src/gss_sec_ctx.c +++ b/src/gss_sec_ctx.c @@ -63,6 +63,8 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, uint8_t sec_req; bool key_exch; + ctx = (struct gssntlm_ctx *)(*context_handle); + /* reset return values */ *minor_status = 0; if (actual_mech_type) *actual_mech_type = NULL; @@ -105,8 +107,6 @@ uint32_t gssntlm_init_sec_context(uint32_t *minor_status, } } - ctx = (struct gssntlm_ctx *)(*context_handle); - if (ctx == NULL) { /* first call */ @@ -193,12 +193,17 @@ int ntlm_free_ctx(struct ntlm_ctx **ctx) if (!ctx || !*ctx) return 0; - ret = iconv_close((*ctx)->from_oem); - if (ret) ret = errno; + if ((*ctx)->from_oem) { + ret = iconv_close((*ctx)->from_oem); + if (ret) goto done; + } - ret = iconv_close((*ctx)->to_oem); - if (ret) ret = errno; + if ((*ctx)->to_oem) { + ret = iconv_close((*ctx)->to_oem); + } +done: + if (ret) ret = errno; safefree(*ctx); return ret; } |