From 53d439b14c75cbdada8e7e7bf2222e76f06cb357 Mon Sep 17 00:00:00 2001
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 11 Apr 2007 02:25:17 +0000
Subject: [PATCH] (krb5-1.5.x) fix MITKRB5-SA-2007-003

pull up r19171 from trunk

 r19171@cathode-dark-space:  raeburn | 2007-02-23 19:56:23 -0500
 ticket: 5445
 status: open

 If a reflection is detected, zap the message buffer pointer output
 argument as well as actually freeing the buffer.  (Found while using
 the gsstest option to exercise error conditions.)


ticket: new
tags: pullup
target_version: 1.5.3
version_fixed: 1.5.3

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-5@19422 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/gssapi/krb5/k5unseal.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index 30845bd85..8c999868e 100644
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -457,8 +457,11 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
 
     if ((ctx->initiate && direction != 0xff) ||
 	(!ctx->initiate && direction != 0)) {
-	if (toktype == KG_TOK_SEAL_MSG)
+	if (toktype == KG_TOK_SEAL_MSG) {
 	    xfree(token.value);
+	    message_buffer->value = NULL;
+	    message_buffer->length = 0;
+	}
 	*minor_status = G_BAD_DIRECTION;
 	return(GSS_S_BAD_SIG);
     }
-- 
2.26.2