From 73224fef5a78b02f59e7ada12a462bcf95b8fb08 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Mon, 2 Aug 2021 15:54:38 +1000
Subject: [PATCH] gss: zero spnego mechanism token error buffer

Ensure mechanism error token buffer, which is allocated on the stack, is zero'd
out before freeing containing ASN.1 structure
---
 lib/gssapi/spnego/accept_sec_context.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c
index d2a8155fe..b7f61163b 100644
--- a/lib/gssapi/spnego/accept_sec_context.c
+++ b/lib/gssapi/spnego/accept_sec_context.c
@@ -35,7 +35,7 @@
 
 static OM_uint32
 send_reject (OM_uint32 *minor_status,
-	     gss_buffer_t mech_token,
+	     gss_const_buffer_t mech_token,
 	     gss_buffer_t output_token)
 {
     NegotiationToken nt;
@@ -64,6 +64,7 @@ send_reject (OM_uint32 *minor_status,
     ASN1_MALLOC_ENCODE(NegotiationToken,
 		       output_token->value, output_token->length, &nt,
 		       &size, *minor_status);
+    nt.u.negTokenResp.responseToken = NULL; /* allocated on stack */
     free_NegotiationToken(&nt);
     if (*minor_status != 0)
 	return GSS_S_FAILURE;