From: Tom Yu <tlyu@mit.edu>
Date: Tue, 30 Mar 2010 03:05:11 +0000 (+0000)
Subject: MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO
X-Git-Tag: krb5-1.7.2-final~11
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=9c0f73bd27b7778435f32e8c5dbec97ffb00109e;p=krb5.git

MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO

pull up r23832 from trunk

 ------------------------------------------------------------------------
 r23832 | tlyu | 2010-03-23 14:53:52 -0400 (Tue, 23 Mar 2010) | 8 lines

 ticket: 6690
 target_version: 1.8.1
 tags: pullup
 subject: MITKRB5-SA-2010-002 CVE-2010-0628 denial of service in SPNEGO

 The SPNEGO implementation in krb5-1.7 and later could crash due to
 assertion failure when receiving some sorts of invalid GSS-API tokens.

ticket: 6694
version_fixed: 1.7.2

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@23850 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 8235b5bc2..443bb4749 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1561,7 +1561,7 @@ spnego_gss_accept_sec_context(
 	gss_buffer_desc mechtok_out = GSS_C_EMPTY_BUFFER;
 	spnego_gss_ctx_id_t sc = NULL;
 	OM_uint32 mechstat = GSS_S_FAILURE;
-	int sendTokenInit = 0;
+	int sendTokenInit = 0, tmpret;
 
 	mechtok_in = mic_in = mic_out = GSS_C_NO_BUFFER;
 
@@ -1593,7 +1593,6 @@ spnego_gss_accept_sec_context(
 		if (delegated_cred_handle != NULL)
 			*delegated_cred_handle = GSS_C_NO_CREDENTIAL;
 		if (input_token->length == 0) {
-			sendTokenInit = 1;
 			ret = acc_ctx_hints(minor_status,
 					    context_handle,
 					    verifier_cred_handle,
@@ -1602,6 +1601,7 @@ spnego_gss_accept_sec_context(
 					    &return_token);
 			if (ret != GSS_S_COMPLETE)
 				goto cleanup;
+			sendTokenInit = 1;
 			ret = GSS_S_CONTINUE_NEEDED;
 		} else {
 			/* Can set negState to REQUEST_MIC */
@@ -1650,27 +1650,21 @@ spnego_gss_accept_sec_context(
 				 &negState, &return_token);
 	}
 cleanup:
-	if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
-		/* For acceptor-sends-first send a tokenInit */
-		int tmpret;
-
+	if (return_token == INIT_TOKEN_SEND && sendTokenInit) {
 		assert(sc != NULL);
-
-		if (sendTokenInit) {
-			tmpret = make_spnego_tokenInit_msg(sc,
-							   1,
-							   mic_out,
-							   0,
-							   GSS_C_NO_BUFFER,
-							   return_token,
-							   output_token);
-		} else {
-			tmpret = make_spnego_tokenTarg_msg(negState,
-							   sc ? sc->internal_mech : GSS_C_NO_OID,
-							   &mechtok_out, mic_out,
-							   return_token,
-							   output_token);
-		}
+		tmpret = make_spnego_tokenInit_msg(sc, 1, mic_out, 0,
+						   GSS_C_NO_BUFFER,
+						   return_token, output_token);
+		if (tmpret < 0)
+			ret = GSS_S_FAILURE;
+	} else if (return_token != NO_TOKEN_SEND &&
+		   return_token != CHECK_MIC) {
+		tmpret = make_spnego_tokenTarg_msg(negState,
+						   sc ? sc->internal_mech :
+						   GSS_C_NO_OID,
+						   &mechtok_out, mic_out,
+						   return_token,
+						   output_token);
 		if (tmpret < 0)
 			ret = GSS_S_FAILURE;
 	}