From 7a19658c1f4fc4adf85bb7bea96caae5ba57b33e Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Thu, 11 Nov 2021 22:38:46 -0600
Subject: [PATCH] spnego: Fix NULL deref
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reported to Heimdal by Michał Kępień <michal@isc.org>.

From the report:

Acknowledgement
---------------

This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
TKEY Query Heap-based Buffer Overflow Remote Code Execution
Vulnerability, which was reported to ISC by Trend Micro's Zero Day
Initiative.
---
 lib/gssapi/spnego/accept_sec_context.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c
index b7f61163b..bc683031d 100644
--- a/lib/gssapi/spnego/accept_sec_context.c
+++ b/lib/gssapi/spnego/accept_sec_context.c
@@ -754,7 +754,7 @@ acceptor_start
      * If opportunistic token failed, lets try the other mechs.
      */
 
-    if (!first_ok && ni->mechToken != NULL) {
+    if (!first_ok) {
 	size_t j;
 
 	/* Call glue layer to find first mech we support */
@@ -771,11 +771,11 @@ acceptor_start
 		break;
 	    }
 	}
-	if (ctx->selected_mech_type == GSS_C_NO_OID) {
-	    heim_assert(ret != GSS_S_COMPLETE, "no oid and no error code?");
-	    *minor_status = junk;
-	    goto out;
-	}
+    }
+    if (ctx->selected_mech_type == GSS_C_NO_OID) {
+        heim_assert(ret != GSS_S_COMPLETE, "no oid and no error code?");
+        *minor_status = junk;
+        goto out;
     }
 
     /*