From 436064dc47dc336c44485068fb2f2fbc6cf840f4 Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Tue, 17 Mar 2009 21:34:13 +0000 Subject: [PATCH] CVE-2009-0845 (1.6.x) SPNEGO can dereference a null pointer pull up r22084 from trunk acc_ctx_new() can return an error condition without establishing a SPNEGO context structure. This can cause a null pointer dereference in cleanup code in spnego_gss_accept_sec_context(). ticket: 6426 tags: pullup target_version: 1.6.4 version_fixed: 1.6.4 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22104 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/gssapi/spnego/spnego_mech.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c index 832abe6ec..7854d9f8c 100644 --- a/src/lib/gssapi/spnego/spnego_mech.c +++ b/src/lib/gssapi/spnego/spnego_mech.c @@ -1248,7 +1248,8 @@ spnego_gss_accept_sec_context(void *ct, &negState, &return_token); } cleanup: - if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { + if (return_token == INIT_TOKEN_SEND || + return_token == CONT_TOKEN_SEND) { tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, &mechtok_out, mic_out, return_token, -- 2.26.2