From aaf4cf89a5ba011483917cf9fe600489e491f704 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Mon, 2 Mar 2020 17:08:31 +1100 Subject: [PATCH] gss: initialize output params in test_negoex_mech test_negoex_mech, being a simple test mechanism ported from MIT that was not designed to be particularly robust, failed to initialize various output parameters such as the source name. On Heimdal this triggered an invalid read because the mechglue did not initialize those variables before calling the mechanism. This commit fixes this. --- lib/gssapi/test_negoex_mech.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/lib/gssapi/test_negoex_mech.c b/lib/gssapi/test_negoex_mech.c index f9d6c5246..5b900518d 100644 --- a/lib/gssapi/test_negoex_mech.c +++ b/lib/gssapi/test_negoex_mech.c @@ -68,6 +68,13 @@ gss_init_sec_context(OM_uint32 *minor_status, const char *envstr; uint8_t hops, mech_last_octet; + if (actual_mech) + *actual_mech = GSS_C_NO_OID; + if (ret_flags) + *ret_flags = 0; + if (time_rec) + *time_rec = 0; + major = gss_duplicate_oid(minor_status, mech_type, actual_mech); if (major != GSS_S_COMPLETE) return major; @@ -132,6 +139,17 @@ gss_accept_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, int ret; size_t mech_len; + if (src_name) + *src_name = GSS_C_NO_NAME; + if (mech_type) + *mech_type = GSS_C_NO_OID; + if (ret_flags) + *ret_flags = 0; + if (time_rec) + *time_rec = 0; + if (delegated_cred_handle) + *delegated_cred_handle = GSS_C_NO_CREDENTIAL; + ret = decode_GSSAPIContextToken(input_token->value, input_token->length, &ct, NULL); if (ret == 0) { @@ -148,7 +166,8 @@ gss_accept_sec_context(OM_uint32 *minor_status, gss_ctx_id_t *context_handle, oid.length = (OM_uint32)mech_len; oid.elements = mechbuf + sizeof(mechbuf) - mech_len; - gss_duplicate_oid(minor_status, &oid, mech_type); + if (mech_type) + gss_duplicate_oid(minor_status, &oid, mech_type); /* * The unwrapped token sits at the end and is just one byte giving the