svn rev #22104: branches/krb5-1-6/src/lib/gssapi/spnego/
tlyu@MIT.EDU
tlyu at MIT.EDU
Tue Mar 17 17:34:14 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22104
Commit By: tlyu
Log Message:
ticket: 6426
subject: CVE-2009-0845 (1.6.x) SPNEGO can dereference a null pointer
tags: pullup
target_version: 1.6.4
version_fixed: 1.6.4
pull up r22084 from trunk
acc_ctx_new() can return an error condition without establishing a
SPNEGO context structure. This can cause a null pointer dereference
in cleanup code in spnego_gss_accept_sec_context().
Changed Files:
U branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c
Modified: branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c 2009-03-16 22:42:01 UTC (rev 22103)
+++ branches/krb5-1-6/src/lib/gssapi/spnego/spnego_mech.c 2009-03-17 21:34:13 UTC (rev 22104)
@@ -1248,7 +1248,8 @@
&negState, &return_token);
}
cleanup:
- if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
+ if (return_token == INIT_TOKEN_SEND ||
+ return_token == CONT_TOKEN_SEND) {
tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech,
&mechtok_out, mic_out,
return_token,
More information about the cvs-krb5
mailing list