krb5 commit: Fix IAKERB accept_sec_context null pointer crash
ghudson at mit.edu
ghudson at mit.edu
Tue Mar 25 14:45:14 EDT 2025
https://github.com/krb5/krb5/commit/f0230605c4ffe475e158d1a4ab17ed2c7f4c6189
commit f0230605c4ffe475e158d1a4ab17ed2c7f4c6189
Author: Alexander Bokovoy <abokovoy at redhat.com>
Date: Fri Mar 21 09:52:47 2025 +0200
Fix IAKERB accept_sec_context null pointer crash
When iakerb_gss_accept_sec_context() processes an initial token which
is not an IAKERB token (because the client already has a service
ticket), set *context_handle. Otherwise subsequent GSS calls using
this context will dereference a null pointer and crash.
[ghudson at mit.edu: moved fix to cleanup handler to avoid code
duplication; added tests; rewrote commit message]
ticket: 9168 (new)
src/appl/gss-sample/t_gss_sample.py | 7 +++++++
src/lib/gssapi/krb5/iakerb.c | 18 +++++++++---------
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py
index dad31e4b3..f823979e1 100755
--- a/src/appl/gss-sample/t_gss_sample.py
+++ b/src/appl/gss-sample/t_gss_sample.py
@@ -116,6 +116,13 @@ for realm in multipass_realms():
# test default (i.e., krb5) mechanism with GSS_C_DCE_STYLE
tgs_test(realm, ['-dce'])
+ mark('AP')
+ ccache_save(realm)
+ tgs_test(realm, ['-krb5'])
+ tgs_test(realm, ['-spnego'])
+ tgs_test(realm, ['-iakerb'], ['-iakerb'])
+ tgs_test(realm, ['-dce'])
+
mark('pw')
pw_test(realm, ['-krb5'])
pw_test(realm, ['-spnego'])
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index 603433608..1dd34287b 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -811,9 +811,9 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
OM_uint32 major_status = GSS_S_FAILURE;
OM_uint32 code;
iakerb_ctx_id_t ctx;
- int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
+ krb5_boolean first_token = (*context_handle == GSS_C_NO_CONTEXT);
- if (initialContextToken) {
+ if (first_token) {
code = iakerb_alloc_context(&ctx, 0);
if (code != 0)
goto cleanup;
@@ -834,10 +834,6 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
major_status = GSS_S_DEFECTIVE_TOKEN;
if (code != 0)
goto cleanup;
- if (initialContextToken) {
- *context_handle = (gss_ctx_id_t)ctx;
- ctx = NULL;
- }
if (src_name != NULL)
*src_name = GSS_C_NO_NAME;
if (ret_flags != NULL)
@@ -872,9 +868,13 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
*mech_type = gss_mech_iakerb;
cleanup:
- if (initialContextToken && GSS_ERROR(major_status)) {
- iakerb_release_context(ctx);
- *context_handle = GSS_C_NO_CONTEXT;
+ if (first_token) {
+ if (GSS_ERROR(major_status)) {
+ iakerb_release_context(ctx);
+ *context_handle = GSS_C_NO_CONTEXT;
+ } else {
+ *context_handle = (gss_ctx_id_t)ctx;
+ }
}
*minor_status = code;
More information about the cvs-krb5
mailing list