segfault in spnego_mech.c

Tom Yu tlyu at MIT.EDU
Thu Mar 12 12:53:45 EDT 2009

Marcus Granado <smurca at> writes:

> Hi,
> I think there's a bug in spnego_mech.c leading to a segfault. The line
> numbers here are relative to the release 20899 at
> latest revision of this file in trunk, I believe:
> ).
> A quick description of the problem:
> The function acc_ctx_new()@919 can fail with 3 possibilities in the
> Now, the function spnego_gss_accept_sec_context()@1199 calls acc_ctx_new()
> at line 1248. If ret != GSS_S_COMPLETE, it goesto cleanup at 1291, checking for
> non-equality of only two possible values in return_token: NO_TOKEN_SEND and
> If return_token is not any of them, it calls make_spnego_tokenTarg_msg(),
> dereferencing the NULL pointer sc and triggering a segfault! The pointer sc
> is not initialized at this point for two reasons: (1) we jumped over its
> initialization on line 1264 when we wentto cleanup at 1291; and (2) we might be
> calling gss_accept_sec_context for the first time with an null
> context_handle.

I believe this is related to, if not identical to, ticket #6402.

More information about the krbdev mailing list