CVE-2009-0845 (1.6.x) SPNEGO can dereference a null pointer

pull up r22084 from trunk

acc_ctx_new() can return an error condition without establishing a
SPNEGO context structure.  This can cause a null pointer dereference
in cleanup code in spnego_gss_accept_sec_context().

ticket: 6426
tags: pullup
target_version: 1.6.4
version_fixed: 1.6.4

git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-6@22104 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 832abe6ec4a283a4622439ea0738ea2e9b186491..7854d9f8c62db2b6c9b22efdd8ebc126205400bd 100644 (file)
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -1248,7 +1248,8 @@ spnego_gss_accept_sec_context(void *ct,
                                 &negState, &return_token);
        }
 cleanup:
-       if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
+       if (return_token == INIT_TOKEN_SEND ||
+           return_token == CONT_TOKEN_SEND) {
                tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech,
                                                   &mechtok_out, mic_out,
                                                   return_token,