svn rev #22084: trunk/src/lib/gssapi/spnego/
tlyu@MIT.EDU
tlyu at MIT.EDU
Fri Mar 13 17:16:15 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22084
Commit By: tlyu
Log Message:
ticket: 6417
subject: CVE-2009-0845 SPNEGO can dereference a null pointer
tags: pullup
target_version: 1.7
acc_ctx_new() can return an error condition without establishing a
SPNEGO context structure. This can cause a null pointer dereference
in cleanup code in spnego_gss_accept_sec_context().
Changed Files:
U trunk/src/lib/gssapi/spnego/spnego_mech.c
Modified: trunk/src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-03-13 03:10:12 UTC (rev 22083)
+++ trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-03-13 21:16:14 UTC (rev 22084)
@@ -1650,7 +1650,8 @@
&negState, &return_token);
}
cleanup:
- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
+ if (return_token == INIT_TOKEN_SEND ||
+ return_token == CONT_TOKEN_SEND) {
/* For acceptor-sends-first send a tokenInit */
int tmpret;
More information about the cvs-krb5
mailing list