[29247] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.13]: Check context handle in
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Jan 8 17:16:20 2016
Date: Fri, 8 Jan 2016 17:16:16 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201601082216.u08MGG5D011478@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/b77b952da9ab4bbdb6430f102c0338166a99646c
commit b77b952da9ab4bbdb6430f102c0338166a99646c
Author: Tomas Kuthan <tkuthan@gmail.com>
Date: Tue Dec 29 11:47:49 2015 +0100
Check context handle in gss_export_sec_context()
After commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff, the
context_handle parameter in gss_export_sec_context() is dereferenced
before arguments are validated by val_exp_sec_ctx_args(). With a null
context_handle, the new code segfaults instead of failing gracefully.
Revert this part of the commit and only dereference context_handle if
it is non-null.
(cherry picked from commit b6f29cbd2ab132e336b5435447348400e9a9e241)
ticket: 8334
version_fixed: 1.13.4
tags: -pullup
status: resolved
src/lib/gssapi/mechglue/g_exp_sec_context.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
index e5f95ad..b637452 100644
--- a/src/lib/gssapi/mechglue/g_exp_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c
@@ -79,7 +79,7 @@ gss_buffer_t interprocess_token;
{
OM_uint32 status;
OM_uint32 length;
- gss_union_ctx_id_t ctx = (gss_union_ctx_id_t) *context_handle;
+ gss_union_ctx_id_t ctx = NULL;
gss_mechanism mech;
gss_buffer_desc token = GSS_C_EMPTY_BUFFER;
char *buf;
@@ -94,6 +94,7 @@ gss_buffer_t interprocess_token;
* call it.
*/
+ ctx = (gss_union_ctx_id_t) *context_handle;
mech = gssint_get_mechanism (ctx->mech_type);
if (!mech)
return GSS_S_BAD_MECH;
@@ -131,7 +132,7 @@ gss_buffer_t interprocess_token;
cleanup:
(void) gss_release_buffer(minor_status, &token);
- if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) {
+ if (ctx != NULL && ctx->internal_ctx_id == GSS_C_NO_CONTEXT) {
/* If the mech deleted its context, delete the union context. */
free(ctx->mech_type->elements);
free(ctx->mech_type);
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
