spnego: Fix NULL deref

Reported to Heimdal by Michał Kępień <michal@isc.org>.

From the report:

Acknowledgement
---------------

This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
TKEY Query Heap-based Buffer Overflow Remote Code Execution
Vulnerability, which was reported to ISC by Trend Micro's Zero Day
Initiative.
This commit is contained in:
Nicolas Williams
2021-11-11 22:38:46 -06:00
parent 6cbe35ad5d
commit 7a19658c1f

View File

@@ -754,7 +754,7 @@ acceptor_start
* If opportunistic token failed, lets try the other mechs.
*/
if (!first_ok && ni->mechToken != NULL) {
if (!first_ok) {
size_t j;
/* Call glue layer to find first mech we support */
@@ -771,11 +771,11 @@ acceptor_start
break;
}
}
if (ctx->selected_mech_type == GSS_C_NO_OID) {
heim_assert(ret != GSS_S_COMPLETE, "no oid and no error code?");
*minor_status = junk;
goto out;
}
}
if (ctx->selected_mech_type == GSS_C_NO_OID) {
heim_assert(ret != GSS_S_COMPLETE, "no oid and no error code?");
*minor_status = junk;
goto out;
}
/*