CVE-2009-0845 SPNEGO can dereference a null pointer

acc_ctx_new() can return an error condition without establishing a SPNEGO context structure. This can cause a null pointer dereference in cleanup code in spnego_gss_accept_sec_context(). ticket: 6417 tags: pullup target_version: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22084 dc483132-0cff-0310-8789-dd5450dbe970
author: Tom Yu <tlyu@mit.edu> 2009-03-13 21:16:14 +0000
committer: Tom Yu <tlyu@mit.edu> 2009-03-13 21:16:14 +0000
commit: 4fa89fc784b87b22bb551e9a8dc754cb2392d732 (patch)
tree: eebd37c0f30fa321c738d8703f33d89f1844f82a
parent: 04e24348bf820b0eb73c10e41549f83aab04979b (diff)
download: krb5-4fa89fc784b87b22bb551e9a8dc754cb2392d732.tar.gz
krb5-4fa89fc784b87b22bb551e9a8dc754cb2392d732.tar.xz
krb5-4fa89fc784b87b22bb551e9a8dc754cb2392d732.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 3a6653caf..708017a8d 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1650,7 +1650,8 @@ spnego_gss_accept_sec_context(
 				 &negState, &return_token);
 	}
 cleanup:
-	if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
+	if (return_token == INIT_TOKEN_SEND ||
+	    return_token == CONT_TOKEN_SEND) {
 		/* For acceptor-sends-first send a tokenInit */
 		int tmpret;
author	Tom Yu <tlyu@mit.edu>	2009-03-13 21:16:14 +0000
committer	Tom Yu <tlyu@mit.edu>	2009-03-13 21:16:14 +0000
commit	4fa89fc784b87b22bb551e9a8dc754cb2392d732 (patch)
tree	eebd37c0f30fa321c738d8703f33d89f1844f82a
parent	04e24348bf820b0eb73c10e41549f83aab04979b (diff)
download	krb5-4fa89fc784b87b22bb551e9a8dc754cb2392d732.tar.gz krb5-4fa89fc784b87b22bb551e9a8dc754cb2392d732.tar.xz krb5-4fa89fc784b87b22bb551e9a8dc754cb2392d732.zip