diff options
| author | Tomas Kuthan <tkuthan@gmail.com> | 2015-12-29 11:47:49 +0100 |
|---|---|---|
| committer | Tom Yu <tlyu@mit.edu> | 2016-01-08 17:09:24 -0500 |
| commit | b77b952da9ab4bbdb6430f102c0338166a99646c (patch) | |
| tree | b40019cf1b2609290e9274ed5ff9566938d8d645 | |
| parent | d19f02e21f98b5f94c04263dfdde0f0c06ce4683 (diff) | |
| download | krb5-b77b952da9ab4bbdb6430f102c0338166a99646c.zip krb5-b77b952da9ab4bbdb6430f102c0338166a99646c.tar.gz krb5-b77b952da9ab4bbdb6430f102c0338166a99646c.tar.bz2 | |
Check context handle in gss_export_sec_context()
After commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff, the
context_handle parameter in gss_export_sec_context() is dereferenced
before arguments are validated by val_exp_sec_ctx_args(). With a null
context_handle, the new code segfaults instead of failing gracefully.
Revert this part of the commit and only dereference context_handle if
it is non-null.
(cherry picked from commit b6f29cbd2ab132e336b5435447348400e9a9e241)
ticket: 8334
version_fixed: 1.13.4
tags: -pullup
status: resolved
| -rw-r--r-- | src/lib/gssapi/mechglue/g_exp_sec_context.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c index e5f95ad..b637452 100644 --- a/src/lib/gssapi/mechglue/g_exp_sec_context.c +++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c @@ -79,7 +79,7 @@ gss_buffer_t interprocess_token; { OM_uint32 status; OM_uint32 length; - gss_union_ctx_id_t ctx = (gss_union_ctx_id_t) *context_handle; + gss_union_ctx_id_t ctx = NULL; gss_mechanism mech; gss_buffer_desc token = GSS_C_EMPTY_BUFFER; char *buf; @@ -94,6 +94,7 @@ gss_buffer_t interprocess_token; * call it. */ + ctx = (gss_union_ctx_id_t) *context_handle; mech = gssint_get_mechanism (ctx->mech_type); if (!mech) return GSS_S_BAD_MECH; @@ -131,7 +132,7 @@ gss_buffer_t interprocess_token; cleanup: (void) gss_release_buffer(minor_status, &token); - if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) { + if (ctx != NULL && ctx->internal_ctx_id == GSS_C_NO_CONTEXT) { /* If the mech deleted its context, delete the union context. */ free(ctx->mech_type->elements); free(ctx->mech_type); |